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TECHNICAL MEMORANDUM 


A SIMULATION MODEL FOR PROBABILISTIC ANALYSIS OF 
SPACE SHUTTLE ABORT MODES 

L INTRODUCTION 


The NASA space shuttle system is a reusable manned vehicle capable of transporting large pay- 
loads to low Earth orbit (LEO). The system is designed to provide abort options to accommodate “con- 
tained” system failures. Because of the complexity of the system, it is almost impossible to analytically 
evaluate the risk due to the various abort modes. This report presents a simulation model which has been 
developed to provide a probabilistic analysis tool to study the various space shuttle abort mode situa- 
tions. The simulation model considers just the propulsion elements of the shuttle system (i.e., external 
tank (ET), main engines, and solid boosters). Specifically, the model was developed to provide a better 
understanding of the probability of occurrence and successful completion of the abort modes during the 
ascent phase of the mission. The purpose of this document is to demonstrate the use of the simulation 
program based on the assumptions and the principles used. The results from the simulation runs 
discussed are for demonstration purposes only and are not official NASA probability estimates. 

1.1 Background 

1.1.1 Space Shuttle Description . The space shuttle is a system that has been designed to 
provide a manned reusable transport vehicle capable of transporting large payloads to LEO. The launch 
configuration of the system is shown in figure 1. The system consists of three main elements: the orbiter, 
the ET, and the solid rocket boosters (SRB’s). The orbiter is the manned vehicle that accommodates 
payload that is transferred between the ground and orbit. The orbiter ascends in a vertical configuration 
and returns to Earth as a transatmospheric plane. The propulsion systems that support the orbiter are two 
SRB’s, three space shuttle main engines (SSME’s), the ET, orbital maneuvering system engines, and 
reaction control system thrusters. 

The SSME’s provide thrust to help the orbiter attain ascent or successfully complete an abort. 
Three SSME’s are located at the aft end of the orbiter. The engine is throttlable, uses oxygen and hydro- 
gen propellant, and is designed to function for 55 starts (27,000 s). The rated power level (RPL) of the 
SSME is 470,000 lb of thrust in a vacuum, which corresponds to about 375,000 lb at sea level. The 
engines can be throttled from 65 to 109 percent of the RPL. During the ascent of the space shuttle, each 
engine bums for about 520 s during which it undergoes a throttling profile. A typical throttling profile 
(for STS-26) is shown in figure 2. The engines are throttled up to 100-percent RPL prior to SRB igni- 
tion. They then achieve 104 percent before being throttled down to 65 percent during a period of 
maximum aerodynamic pressure for the vehicle. After the period of maximum aerodynamic pressure on 
the vehicle has been passed, the engines are throttled back up to 104 percent where they remain before 
being throttled down prior to main engine cut-off (MECO). 

The ET is the “propellant tank” for the shuttle orbiter. It contains liquid hydrogen and liquid 
oxygen for use by the SSME’s. The ET is the backbone of the launch configuration in that it is attached 
to both the orbiter and the SRB’s. After MECO of the SSME’s, the ET reenters the atmosphere and 
disintegrates; the remnants of the ET land in the ocean. 




Figure 1. The space transportation system. 
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STS-26 MISSION PROFH.F 



REFERENCE TIME 

Figure 2. An SSME mission thrust profile. 


The SRB’s provide thrust to propel the space shuttle to orbit and serve as the launch pad mounts 
for the vehicle prior to lift-off. There are two SRB’s located on opposite sides of the ET. Each SRB pro- 
duces approximately 2.9 million lb of thrust. The SRB’s complete their bum when the vehicle has 
reached about 150,000 ft, at which time they separate from the ET and drop into the ocean, with 
parachutes slowing their fall. The cases of the SRB’s are recovered and reused. 

The orbital maneuvering system (OMS) engines provide thrust to support the orbit attainment, 
orbit adjustments, and reentry of the vehicle. There are two OMS engines located on the aft end of the 
orbiter. The OMS engines use monomethylhydrazine and nitrogen tetroxide for their propellant. Each 
engine produces 6,000 lb of thrust in a vacuum. 

The reaction control system (RCS) thrusters provide thrust for pitch, yaw, and roll control of the 
vehicle. There are 44 thrusters in all, and they are located in the fore and aft portions of the orbiter. The 
RCS thrusters use monomethylhydrazine and nitrogen tetroxide for their propellant. The RCS thrusters 
include primary thrusters for major adjustments, which produce 870 lb of thrust in a vacuum each, and 
vernier thrusters, for finer adjustments, which produce 24 lb of thrust each in a vacuum. 

1.1.2 Space Shuttle. Ascent and Abort Modes . The process of inserting the orbiter into orbit 
consists of four phases: the prelaunch phase, the first stage, the second stage, and the orbit insertion. 

The prelaunch period is the time during which the vehicle is held down and the SSME’s are 

fired. 


After the prelaunch time has been completed, the SRB’s are ignited, the vehicle is released from 
the pad, and the first stage operation begins. After lift-off, the SSME’s are throttled down before a 
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period of maximum aerodynamic pressure is experienced by the vehicle. After the period of maximum 
pressure has been passed, the engines are throttled back up. After the SRB’s have completed their 
operation, they are separated from the ET. 

The second stage begins after SRB separation. The SSME’s are throttled down prior to MECO in 
order to achieve the desired insertion velocity. Once MECO is completed, the second stage has also been 
completed. 

After MECO, the ET separates from the orbiter, the OMS engines are then used to place the 
vehicle in the desired orbit. Either one or two OMS bums will be used, depending on the type of mission 
that is being performed. 

The STS has several abort options: return to launch site (RTLS), transoceanic abort landing 
(TAL), press to abort to orbit, press to MECO, late TAL, and contingency aborts. 

RTLS is the abort option which occurs during the first window for the shuttle. The window for 
this option varies from flight to flight, but, in general, it extends from shortly after SRB separation until 
the first capability for TAL. 

The RTLS is performed in three phases as shown in figure 3: powered flight, ET separation, and 
glide-flight During the power-flight portion of the RTLS, if the vehicle is not at the boundary of RTLS 
capability, the pitch attitude is changed to allow the vehicle to be lofted out of the atmosphere. This will 
be performed until the required amount of fuel in the ET has been depleted. The pitch-around maneuver 
is then executed (at approximately 10°/s) to begin the flyback phase for the vehicle. The vehicle then 
aims itself at a target position and velocity for completing the RTLS. When the desired altitude is 
reached, the vehicle pitches down to an attitude of approximately -4°. The SSME’s are throttled down to 
65 percent and MECO is then performed. Shortly after MECO, the ET is separated from the orbiter. 

After ET separation, the vehicle pitches back up, and resumes a glide path for the RTLS runway. 
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TAL is more complex than RTLS in that for a typical flight there are several possible TAL 
landing sites, and different criteria determine which site will be attempted. Some of the possible landing 
sites for TAL aborts are shown in figure 4. In general, the window for the initiation of this option 
extends from the inertial velocity at the RTLS/TAL window to the velocity of first press-to-abort (PT ) 
to orbit capability. 



PROaxmOH : UE8CA.TOR 

Figure 4. Some TAL landing sites. 


The steps in performing a TAL include: selecting the TAL site, performing an OMS propellant 
dump, achieving the desired MECO altitude and velocity, performing MECO, and gliding to the landing 
site. The TAL site is selected based on the vehicle’s position in the ascent when the abort is initiated and 
will be discussed in detail in later sections. After the site has been selected, dumping of the OMS propel- 
lant will be initiated, and the vehicle will begin steering toward the selected landing site. After the 
vehicle has reached the desired altitude and velocity, the MECO will be performed. After MECO, the 
vehicle will glide to the runway at the target site. 

PTA is an abort option in which the vehicle attempts to achieve an off-nominal orbit. The lower 
orbit is attained because there is insufficient energy to attain a nominal orbit, and/or systems per- 
formance suggests that an early reentry may be desired. In general, the window for this option extends 
from the TAL/PTA boundary to the press-to-main (PTM) engine cut-off boundary. 

The procedure for a PTA is similar to the procedure for a nominal ascent, with the exception that 
the orbit which is attempted to achieve is shallower than the nominal orbit. After the PTA option is 
selected, the engines run until the desired MECO velocity and position is reached. After MECO, the two 
OMS engine bums place the vehicle in the desired orbit, as shown in figure 5. 
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NOTE: This drawing is not to scale. 

Figure 5. Comparison of ATO and nominal orbits. 

PTM involves the vehicle attempting to achieve its desired orbit despite its problems. This option 
involves adjusting vehicle thrust and trajectory in order to achieve the desired orbit. The window for this 
option extends from the PTA/PTM boundary until MECO. The procedure for this abort option is similar 
to the PTA option, with the exception that the nominal orbit is attempted rather than a shallower one. 

Late TAL is an abort to a landing site that is performed because of an early MECO. This abort 
option is used when the vehicle cannot attain an orbit and it is past the region for the normal TAL 
option. This option is generally available during the last minute of flight This option involves “gliding 
in" to the landing site that has been chosen based on the vehicles situation at the time of MECO. 

Contingency aborts are performed because of either structural failures, multiple systems failures, 
or multiple engine failures. A contingency abort is performed for multiple SSME failures whenever the 
thrust of the engines is inadequate for either the vehicle achieving orbit or an intact abort. The profile of 
a typical contingency abort is shown in figure 6. During a contingency abort due to multiple SSME 
failures, an attempt will be made to achieve a gliding path for the vehicle from which either a vehicle 
ditch or a crew bailout can be performed. The vehicle and crew will be lost if the vehicle is in a “black 
zone," a region in which the vehicle’s structural constraints are exceeded, at the time of multiple engine 
failures. The current contingency capability for multiple engine failures during the ascent is shown in 
figure 7. 

Aborts for the space shuttle can be initiated for either systems problems or SSME failures. 
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Figure 6. A typical contingency abort profile. 



0 200 400 600 800 
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Figure 7. Contingency abort capability. 
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The procedures for selecting abort options for SSME failures is based on interaction between 
Mission Control and the astronauts. Flight procedures and checklists are used to minimize the decision 
time in the abort selection process. The earliest time at which an abort can be initiated is approximately 
2 min 30 s into the flight, which is shortly after SRB separation. The many different possible situations 
for SSME failures causes the abort selection process to be very complex, as the abort selected is largely 
a function of when the SSME failure(s) occurred during the STS ascent and aborts. 

1. 1.2.1 STS Operational Flight Rules — All Flights . The purpose of the flight rules discussed in 
the document “STS Operational Flight Rules — All Flights” is stated as: “The flight rules outline pre- 
planned decisions designed to minimize the amount of real-time rationalization required when non- 
nominal situations occur from the start of the terminal countdown through crew egress or ground support 
equipment (GSE) cooling activation, whichever occurs later.” 4 

In the “Flight Operations Rules” section of the document, rules relating to abort procedures are 
discussed. In this section, the topics that are discussed include: shuttle abort criteria, ascent mode priori- 
ties for performance cases, aborts for systems failures, and contingency ascents/aborts. 

The shuttle abort criteria subsection states that the nominal ascent will not be continued if any of 
the following conditions occur: engine problems occur in a region where their performance is required, 
deorbit maneuver capability is lost, attitude control is lost, or consumables, cooling, or systems lifetime 
problems occur that will not support a first day landing to the primary landing site. The aborts that will be 
used due to engine problems will be chosen based on the region in which the engine(s) problems occurred. 

The subsection that discusses the ascent mode priorities for performance cases discusses the order of 
precedence for the selection of abort modes and provides some discussion on the performance of the aborts. 
The order of precedence for the abort modes is as follows: press-to-orbit (including press-to-MECO and 
press-to-abort-to-orbit (ATO)), TAL, RTLS, late TAL, and abort-once-around (AOA). The press-to-orbit 
decisions will be based on such factors as the ET impact location and post-MECO performance capability. 

The subsection that discusses the abort modes that will be used for systems failures describes 
systems failures that will result in abort initiation, and which aborts will be used for the various systems 
failures. Examples of systems failures that would result in aborts include: loss of a thermal windowpane, 
a cabin leak that results in a significant rate of pressure loss, two leaking or failed OMS tanks, the loss of 
two Freon loops, and the loss of two main busses. The abort modes that are considered in this section are 
RTLS, TAL, late TAL, and AOA. The abort modes that are used based on the systems failures are 
selected based on the option that provides the earliest available landing time or to avoid requiring a lost 
capability. 

The contingency ascents/aborts subsection provides a general discussion of contingency 
ascents/aborts and the possible outcomes. Contingency aborts will be used when structural failures or 
multiple systems or SSME failures have occurred. Possible contingency abort cases include the follow- 
ing: crew bailout or orbiter ditch due to the loss of multiple SSME’s in a region where no acceptable 
landing site is available; an attempt to land at an RTLS, TAL, AOA, or ACLS due to structural or 
multiple orbiter systems problems which necessitate landing at the earliest possible time; or an attempt 
to land at an RTLS, TAL, AOA, LS, or ACLS due to multiple SSME failures coupled with other orbiter 
failures which result in severe ascent performance loss. The contingency abort may result in the loss of 
the vehicle and the crew if there is total SSME thrust loss in a “black zone,” which is a region where the 
contingency abort would result in a violation of the vehicle’s constraints (such as structural constraints). 
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1. 1.2.2 Flight Procedure Handbook— Ascent/ Aborts . The purpose of the “FUght Procedure 
Handbook — Ascent/ Aborts” is stated as: “to describe and provide rationale for the flight procedures 
used using space shuttle ascent and aborts. It has been prepared for shuttle flight crews and ground 
operations personnel as an ascent flight training supplement and convenient reference source. 5 

The Flight Procedure Handbook discusses in detail the procedures that the crew must be trained 
for during the ascent and during the performance of shuttle aborts. This document was a valuable 
reference in understanding the process that is involved in the ascent, and selecting and performing the 
abort options. 

When performance problems occur that will have to be compensated for by using aborts, a cer- 
tain amount of time is required by the crew (and possibly mission control) to discuss the problem and 
decide on the appropriate abort option to select. The time between the occurrence of the problem and the 
initiation of the selected abort option is referred to as the decision time. The decision time that is 
required is generally 15 s. 

The inhibit/enable switch is a device that is used to control whether or not the SSME s will be 
automatically shut down due to exceedence of red-line limits of certain performance parameters. If the 
switch is in the enable position, the SSME’s are shutdown if the red- lines are exceeded. If the switch is 
in the inhibit position, the SSME’s are not shutdown if the red-lines are exceeded. The switch is in the 
enable position initially. If an engine fails while the vehicle has not yet reached a region of single engine 
capability, the switch is placed in the inhibit position. The switch may be placed back in the enable posi- 
tion if the engines achieve single engine capability while two engines are still functioning. 

1. 1.2.3 Ascent Checklist . The ascent checklist 7 is a document that summarizes the procedures 
that the crew must perform during a shuttle ascent and during the performance of aborts. The checklist 
consists of a generic document that pertains to all flights and flight supplements that are used for the 
specific flight. Part of the ascent checklist flight supplement for STS-32 is contained in appendix A. 

The ascent checklist contains information that can be used by the shuttle crew to select the abort 
mode if performance problems occur with the vehicle and the crew does not have communication with 
mission control. The information contained in the ascent checklist is in the form of cards. During the 
flight, the cards are placed in a pad for the commander and pilot, and they may be referenced during the 
vehicle’s ascent and during abort attempts. Items of interest to this study that are contained in the ascent 
checklist include: the systems flight rules card, the no comm mode boundaries card, the auto TAL card, 
the late TAL card, the ascent ADI-nominal card, and the TAL redesignation cards. 

The systems flight rules card states which abort option (s) will be used for certain systems 
failures. The systems rules card is a summary of the information that is provided in the operational flight 
rules pertaining to the abort modes that will be used for systems failures. 

The no comm mode boundaries card is used by the crew if they do not have communication with 
mission control. This card contains vehicle inertial velocity boundary value information from which the 
abort options can be selected. 

The auto TAL card states the inertial velocity at which MECO would be performed for a TAL 
attempt. 
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The late TAL card states the boundary inertial velocity values at MECO for late TAL attempts as 
well as the lowest inertial velocity at MECO for which a successful late TAL landing may be achieved. 

The ascent ADI-nominal card provides information on the vehicle’s inertial velocity versus the 
altitude of the vehicle. 

The TAL redesignation cards are used to select a landing site for a one-engine TAL attempt if a 
two-engine TAL attempt was selected and a second engine failed before the two-engine TAL attempt 
could be completed. TAL redesignation cards are included for two-engine TAL attempts to the primary 
two-engine TAL site, Benguerier, and the second two-engine TAL site. Moron. In using the TAL redes- 
ignation cards, the column that contains the first EO VI value is first entered by choosing the column 
that corresponds to the value of the inertial velocity at the time of the first engine failure and rounding to 
the nearest 100 value. The correct row item is chosen by selecting the row with the VI value that 
contains a value that is less than or equal to the inertial velocity at the time of the second engine failure 
and that contains the value closest to the inertial velocity value at the time of the second engine failure. 

1.2 Objective 

The purpose of this study was to develop a simulation model that could be used to analyze the 
various space shuttle abort mode situations and that could provide a better understanding of the 
probability of occurrence and successful completion of the abort modes during the ascent phase of the 
mission. 

1.3 Scope 

This study focuses on the effect of propulsion system failures on the ascent phase and the related 
abort modes for the space shuttle. Systems failures (such as APU failures. Freon loop failures, etc.) are 
not considered in this analysis. 

The space shuttle items which were considered (the propulsive elements) were: the SSME’s, the 
SRB’s, and the ET. 

The simulation program has been designed for supporting analysis of various mission situations. 
In addition to supporting analyses of specific missions, the program supports sensitivity analyses of the 
effects of various ascent and abort parameters. 


H. SIMULATION MODEL DEVELOPMENT 


2.1 Basic Approach to Model Development 

The basic approach to model development is described by an event tree diagram which accounts 
for all the events during the space shuttle ascent and its abort modes. The event tree diagram was con- 
structed by referring to NASA flight rules and procedures. The paths in the tree are determined based on 
the failure times of the propulsion system elements. The propulsion elements considered in the analysis 
are the ET, the SRB’s, and the SSME’s. A failure model described by a probability distribution is con- 
structed for each of the three elements. A failure of either the ET or the SRB at any time during their 
flight times will result in a catastrophic failure of the vehicle. For the SSME’s, the probability 
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distribution is used to generate a failure time for each of the three engines. The failure time is then 
checked against the mission profile to determine if the mission is a success or if a failure has occurred 
that would result in loss of the vehicle or a mission abort. In case of an abort, the vehicle performance 
model is taken into consideration. The vehicle performance model considers the vehicle velocity versus 
mission time and the conditions for the successful completion of the abort modes. The vehicle velocity 
versus mission time is used to determine the velocity at which the engine failure occurs. Given this 
velocity, the time required for the engines to complete a successful abort is determined by the conditions 
for abort completion. A summary of the model elements that where developed is shown in figure 8. 



Figure 8. Basic approach to model development 

2.2 Element Failure Modes 

Although various nonpropulsive systems failures would result in the initiation of abort options, 
this study only considered the effect of performance of space shuttle propulsive elements on 
ascent/aborts. The items which were considered in the model development were: the SSME’s, the 
SRB’s, and the ET. The models that were developed to represent the performance of these items are dis- 
cussed in the following sections. 

2.2.1 SSME’s Failure Model . The SSME’s were the most difficult elements to model since their 
design and operation are the most complex of the three items considered. The SSME’s operate at various 
performance levels and are subject to both benign (self-contained) failures and catastrophic (criticality 1) 
failures. An additional factor which must be considered in the modeling of the time-to-failure of the 
SSME’s is whether or not the engines are “inhibited” from shutting themselves down due to off-normal 
measurements. 

The SSME’s operate from the beginning of the prelaunch phase until they either shut down 
because of a failure or MECO is performed. 
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The time-to-failure for the engines was treated as an exponential distribution. This distribution 
was considered for this case because the SSME’s are very complex, with many parts. For systems with 
many parts, an exponential distribution is sometimes used because the items are just as likely to 
experience “random” failures any time during their life. Another distribution considered was a Wiebull 
distribution that is modeled to predict higher probability of failure during the early time of the items 
lifetime. This distribution has been shown to more accurately predict the failures for the SSME’s and 
should be used for future applications of the simulation program that was developed. The exponential 
distribution was used in this study for the initial demonstration of this simulation program because of its 
ease of use and simplified approximation of the predicted failure times of the SSME’s. 

Since various power levels, catastrophic and benign failures, and inhibited and enabled engines 
are being considered, distribution parameters are required for each case. The power levels that were 
considered were 100, 104, and 109 percent. Catastrophic failures are those failures that correspond to 
criticality 1 failures. Benign failures are those failures that correspond to failures that result in a safe 
engine shutdown. Inhibited engine failures are failures that occur when the engine is inhibited from 
failing due to red-line exceedence of its various performance items. Enabled engine failures are failures 
that occur when the engine is not inhibited from failing due to red-line exceedence of the various per- 
formance items. 

The source for obtaining the estimates for the exponential parameters for the various situations 
was the SSME reliability study by Dr. Safie. 9 The method for obtaining exponential time-to-failure 
estimates for the engines from the reliability study and estimates that are obtained are presented in the 
referenced study. 

For simplicity, the thrust profile that is used during the ascent phase was modeled using both 
100- and 104-percent RPL’s. A model of the thrust profile is shown in figure 9. The thrust level that was 
used for the various abort situations also used both 100- and 104-percent RPL’s. Abort mode attempts 
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that will be said to have engines functioning at 104 percent are: 2-E RTLS, 2-E TAL, 2-E PTA, 1-E 
PTM, 1-E TAL to the primary TAL site, and 1-E TAL redesignation site attempts that require engines at 
104 percent. Abort modes attempts that will be said to have engines functioning at 109 percent are: 1-E 
RTLS and 1-E TAL redesignation sites that required engines functioning at 109 percent 

The model for the operation of the enable/inhibit switch was based largely on discussions with 
engineers familiar with it. A diagram summarizing the operation of the switch, a summary of the 
development of the switch model, and a flowchart that depicts how the switch’s operation is modeled is 
presented in appendix B. As can be seen from the diagram, the switch is initially in the enable position. 

If a first engine failure occurs before the inertial velocity required for a one-engine abort capability has 
been reached, the switch is placed in the inhibit position. If there are no further engine failures before the 
one-engine abort capability is achieved, the switch is placed in the enable position when the VI 
boundary value for one-engine capability has been reached. If a second engine failure occurs, the switch 
is placed in the inhibit position, where it remains. 

From conversations with engineers familiar with the SSME, some general observations were 
provided concerning the performance of inhibited SSME’s in relation to the performance of enabled 
SSME’s. Approximately 50 percent of the failures that would lead to an engine shutdown due to red-line 
exceedance for the enabled SSME’s would lead to catastrophic failures in the case of inhibited SSME’s. 
An additional observation was that about 1 percent of the benign failures in the enabled SSME case 
would be benign failures in the case of the inhibited SSME. The use of the approximations that were 
suggested by the engineers in the development of the model for the switch is discussed in appendix B. 

2.2.2 SRB’s Failure Model . The operation of the SRB’s was considered from the time of their 
ignition to the time of their separation (or, for the first stage). 

Since the performance of the SRB’s is largely driven by the manufacturing process, they were 
modeled somewhat differently than the SSME’s. The probability of the successful operation of the 
SRB’s up until separation was treated as a Bernoulli distribution, with the SRB’s either catastrophically 
failing or successfully completing their bum time. If it is determined that the SRB’s will fail, the time of 
the SRB failure is then determined. The time to failure for the SRB’s is treated as being uniformly dis- 
tributed, with the earliest time occurring at ignition and the last time occurring at separation. 

2.2.3 FT Failure Model . The operation of the ET was considered from the time of the beginning 
of prelaunch until either an abort was initiated or nominal MECO of the SSME’s occurred. 

The performance of the ET was treated similarly to that of the SRB’s. The probability of success 
was treated as a Bernoulli distribution. If a failure occurred, the time to failure was treated as being uni- 
formly distributed, with the minimum time occurring at the beginning of the prelaunch phase and the last 
time occurring at the time of MECO. 

2.3 Vehicle Performance Model 

A model was developed for the performance of the vehicle during the ascent and during the abort 
modes. The model for the ascent involved obtaining an estimate for the vehicle’s inertial velocity as a 
function of time. The models for the vehicle’s performance during the abort modes involved estimating 
the time or inertial velocity that was required for successful completion of the abort options. 
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2.3.1 Ascent Flight Phase Model. Since inertial velocity is the parameter that is used to decide 
between different abort options and since the run time of the engines is the value that is ohtainp.fi based 
on the distributed times to failure for the engines, a model was required for the simulation that depicted 
the vehicle’s inertial velocity as a function of the time during the ascent at which the failure occurred. 
The development of the vehicle ascent is discussed in its entirety in appendix C. 

By plotting the VI as a function of MET for space shuttle ascent performance data, it was 
observed that the function can be modeled as an exponential function during the second stage. Since no 
aborts can be initiated before the beginning of the second stage, only the values in this region were con- 
sidered. The VI versus mission elapsed time for the second stage can be modeled as: 

VI = exp(a+b*T) , (1) 


where 


VI = the vehicle’s inertial velocity 
a = a coefficient 
b = a coefficient 
T = the mission elapsed time. 

2.3.2 Return to Launch S ite Mode Model . An RTLS attempt is said to be successful if the time 
of the engine failure(s) are greater than the time that is required for an RTLS completion. The develop- 
ment of the model of the RTLS required time for completion is discussed in its entirety in appendix E. 

In developing the model, VI versus the MET data for an RTLS attempt was considered. The 
model considered two phases during the RTLS attempt, the fuel dissipation phase, and the flyback and 
powered pitehdown phase. During the fuel dissipation phase, the vehicle is heading down range prior to- 
heading back to the launch site. This phase is therefore very dependent on the time at which the abort 
was initiated. The data that appeared to represent the fuel dissipation phase were linear and appeared to 
be dependent on the time that the first engine failed. The flyback and powered pitehdown phases are per- 
formed to attain a proper attitude to release the ET and to attain a proper range and velocity at MECO so 
that a successful RTLS abort may be performed. It appears reasonable that the total duration of the fly- 
back and powered pitehdown phases should be fairly constant over the range of initiation times for the 
RTLS attempt since there is not much flexibility in the position that vehicle should be in for performing 
ET separation and MECO. The data that appeared to represent this phase exhibited very nonlinear char- 
acteristics, but the total time duration seemed to be relatively constant for different abort initiation times. 
Models for the required time for the completion of both of the phases was combined to obtain an esti- 
mate for the required run time to complete an abort 

The required remaining run time for engines for the successful completion of a two-SSME RTLS 
abort is therefore: 

Treqd(2-E RTLS) = 350+(270/(7'(L-RTLS)-7’(£.RTLS)))*(T(L.RTLS)-7’(init.)) . (2) 

The required remaining run time for the remaining engine functioning at 109-percent RPL is 
therefore: 
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Treqd( 1-E RTLS) = 1.91 *(Treqd(2-E RTLS ^(second failure)) . (3) 

2.3.3 Transoceanic Abort Landing Mode Model . A TAL attempt is said to be successful if the 
vehicle attains the inertial velocity that is required for a successful TAL attempt. The development of the 
model of the TAL VI versus t is discussed in appendix F. 

Since the VI value of the vehicle is the criteria that must be known for making the TAL option 
selections, an estimate was required for the vehicle acceleration in order to relate the mission elapsed 
time to the current vehicle VI value. 

In order to see if the programming could remain simpler, acceleration estimates for TAL, PTA, 
and PTM were made and compared with each other to see if they could be combined into one estimate. 
The estimation of the vehicle acceleration is discussed in appendix D. The acceleration values that will 
be used for the vehicle for the abort options at the various number of functioning engines and engine 
power levels are therefore: 


ACC( 1,104) = 22.8 ft/s 2 
ACC(1,109) = 23.8 ft/s 2 
ACC (2, 104) = 45.5 ft/s 2 . 

The 2-E TAL attempts occur with the engines functioning at 104 percent, and the 1-E TAL 
attempts occur with the engines functioning at either 104 or 109 percent. For a 2-E TAL attempt, 

Treqd = (VITMCO-VITBF(1))/ACC(2,104) . (4) 

For a 1-E TAL attempt with the engine functioning at 104-percent RPL, 

Treqd = (VrrMCO-VITBF(l)-ACC(2,104)*(TENGBF(2)-TENGBF(l)))/ACC(l,104) . (5) 

For a 1-E TAL attempt with the engine functioning at 109-percent RPL, 

Treqd = (VITMCO-VITBF( 1 )-ACC(2, 1 04)*(TENGBF(2)-TENGBF( 1 ))/ACC( 1,109). (6) 

2.3.4 Late TAL Mode Model . A late TAL attempt is said to be successful if the vehicle’s VI 
value at the time of the premature MECO is greater than the minimum value required for the completion 
of a late TAL attempt and less than the maximum value for the selected late TAL option. 

2.3.5 Press to MECO Mode Model . The abort attempt is said to be a success if the vehicle 
achieves the inertial velocity that is required to achieve the orbit. The development of the model of the 
PTM required time to completion is discussed in appendix G. For a 2-E PTM with the engines at 104- 
percent RPL, 


Treqd(2) = (3/2)*(TASCNT(5)-TENGBF(l)) . (7) 

For a 1-E PTM with the engine at 104-percent RPL, 

Treqd(l) = 3*TASCNT(5)-TENGBF(1)-2*TENGBF(2) . (8) 
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2.3.6 Press to Abort to Orbit to Mode Model . The abort attempt is said to be a success if the 
vehicle achieves the inertial velocity that is required to achieve the orbit The development of the PTA 
required time to completion is discussed in appendix G. For a 2-E PTA with the engines functioning at 
104-percent RPL, 


Treqd(2) = (3/2)*(TASCNT(5)-TENGBF(l)) . (9) 

2.3.7 Contingency Mode Model . Contingency aborts that are initiated when there are two failed 
SSME’s in a region where no other abort options are available are said to result in crew bailouts with the 
loss of the vehicle. The results of contingency aborts that are initiated when there are three failed 
SSME’s in a region where no other abort options are available are said to result in either a crew bailout 
with the loss of the vehicle or the loss of the crew and vehicle due to the exceedence of constraints on 
the vehicle. The crew will be said to bail out if the three engines failed in a region not in the contingency 
abort “black zone.” The crew and the vehicle will be said to be lost when the three engines failed within 
the “black zone.” The region of the black zone will be said to extend from a VI value of 8,000 ft/s up to 
a VI value of 18,000 ft/s. 

2.4 Ascent/Abort Event Tree Diagram 

The event tree that was developed to model the space shuttle ascent and its abort options is based 
on NASA procedures and conversations with personnel involved with analysis of space shuttle 
ascent/aborts. The event tree is shown in appendix H. 

2.4.1 Example Event Tree Description . A hypothetical portion of an event tree is shown in 
figure 10. This event tree is for description purposes only and is not part of the actual ascent/abort event 
tree. 


The tree is continued from a previous path after the first engine failure occurred. If the time 
between the first and second failures is greater than the time required to make a decision, the inertial 
velocity of the vehicle is compared with the inertial velocity required for the initiation of a two-engine 
abort to the abort site. If the inertial velocity is greater than that required for the initiation of a two- 
engine abort, the event path is continued on chart 2; otherwise the path is continued on chart 3. If the 
time between the second and the first failures is less than the decision time, the criticality of the engine 
failure is checked. If a catastrophic failure occurred, the crew and vehicle are lost. If a catastrophic 
failure did not occur, the inertial velocity of the vehicle is compared to the inertial velocity required for a 
one-engine abort attempt. If the inertial velocity is less than that required for a one-engine abort, the 
crew bails out of the vehicle. If the inertial velocity is not less than the required velocity, a one-engine 
abort is attempted. If the third engine failure occurs before the completion of the one-engine abort, the 
criticality of the failure is checked. If the engine failure was catastrophic, the crew and vehicle are lost. 

If the failure was not catastrophic, the inertial velocity of the vehicle is checked to see if the vehicle is in 
a black zone. If the vehicle is in a black zone, the vehicle and crew are lost, otherwise the crew bails out 
of the vehicle. 
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Figure 10. A hypothetical event tree segment. 










HI. COMPUTER CODE DEVELOPMENT 


3.1 Computer Program Overview 

The computer code that was developed in Fortran 77 can be obtained by requesting it from the 
NASA Marshall Space Flight Center Program Development Office (PD22). A simplified overview of 
the program is shown in figure 1 1. As can be seen from the diagram, during the simulations the failure 
times of the elements are first generated. The failure times are generated from statistical distributions, 
the values of which are determined by pseudo-randomly generated numbers. The failure times are 
checked to see if any failures occurred before the completion of the ascent. If a failure did occur, the 
type of failure is checked to determine if the failure was an ET, SRB, or SSME failure. If either an ET or 
SRB failure occurred, the crew and vehicle are counted as being lost. If an SSME failure occurred, the 
criticality of the failure is checked. If the failure was catastrophic, the vehicle is lost. If the SSME failure 
was not catastrophic, the vehicle attempts an abort. If the abort is successful the vehicle is safe; other- 
wise, the vehicle is lost. 



3.2 Program Modules 

3.2.1 Initial Abort Selection . Subroutine ABTSLCT represents the selection of abort modes for 
one-engine out. The subroutine is called when there is one shutdown SSME on the vehicle in a region of 
the ascent where an abort may be initiated. The region during which a one SSME shutdown abort may 
be initiated begins at approximately 150 MET and lasts until the time of MECO. 
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If there is sufficient time between the first two engine failures to make a decision, the appropriate 
subroutine (RTLS, TAL, or PRESS) is called based on the vehicle’s inertial at the time of the engine 
failure. 


If there is not sufficient time between the first two engine failures to make a decision and if the 
second failure was not catastrophic, the time of the third engine failure is checked to see if there was 
enough time before the third engine failure to make a decision. If there is not enough time before the 
third engine failure and the engine failure is not catastrophic, a subroutine is called to determine if the 
vehicle successfully completes a late TAL. 

If there is enough time between the second and third engine failure to make a decision, the one- 
SSME abort option is chosen based on the vehicle’s VI. If a one-SSME PTM is attempted and the 
engine fails before abort completion and it is a benign failure, a subroutine is called to simulate a late 
TAL attempt. If a one-SSME TAL or late TAL is attempted and a benign engine failure occurs before 
abort completion, the vehicle and crew are lost if they are in a black zone or the vehicle is lost and the 
crew bails out. If the one-SSME VI is less than the VI required for a TAL droop, the crew is said to bail 
out and the vehicle is said to be lost. 

3.2.2 RTLS Performance . Subroutine RTLS represents the RTLS success/failure logic. This 
subroutine is called from ABTSLCT when an RTLS attempt is selected based on the ascent VI value at 
which there was one shutdown SSME. 

If a benign second engine failure occurs before the completion of a two-SSME RTLS and there is 
adequate time between either the first and second failures or the second and third failures to make a 
decision, a one-SSME RTLS is attempted. If there is a benign failure of the third engine before the 
completion of the one-SSME RTL’s, the VI of the vehicle is checked to see if it is in a black zone. If the 
vehicle is in a black zone, the vehicle and crew are said to be lost, otherwise the vehicle is lost and the 
crew bails out. 

If there are three engine failures of which none are catastrophic before a decision can be made, 
either the vehicle and crew will be lost or just the vehicle will be lost, depending on whether or not the 
vehicle is in a black zone region. 

3.2.3 TAT. Performance . Subroutine TAL represents the TAL success/failure logic. This sub- 
routine is called from ABTSLCT when a TAL attempt is selected based on the ascent VI value at which 
there was one shutdown SSME. 

If a second benign engine failure occurs before the completion of a two-SSME TAL and there is 
enough time to make a decision before a third engine failure, a one-SSME TAL redesignation option is 
selected by calling the subroutine TALSLCT. If the vehicle’s VI is too low, a crew bailout is performed, 
otherwise an attempt for the selected one-E TAL site is attempted. If a third benign engine failure occurs 
before the abort is completed, the crew either bails out or is lost depending on whether or not the vehicle 
is in a black zone. 

If there is not enough time between the first and second engine failures to make a decision, either 
a one-SSME TAL attempt to the primary site or a TAL droop will be attempted if the vehicle has an 
adequate VI value. If a third benign engine failure occurs before the completion of either a one-E TAL 
or TAL droop attempt, a contingency abort is attempted. If the VI value is less than the VI boundary 
value for a TAL droop, the crew is said to bail out and the vehicle is said to be lost. 
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3.2.4 TAL Redesi enation Option Selection . Subroutine TALSLCT represents the logic for 
selection of a two-engine out TAL redesignation site. If the rounded value for the VI at the time of the 
first engine failure is greater or equal to the lowest VI value for one-SSME TAL capability, the sub- 
program of the value of the first engine out entry that matches up with the VI at which the first engine 
failed is found by performing a loop for the total number of TAL redesignation velocities. When a value 
is found that corresponds to the VI at the first failure, the integer parameter that corresponds to this value 
is assigned the value that the counter has at that time. 

After the proper column is found on the TAL redesignation chart, the option that will be selected 
at that value of the first engine failure is chosen. To select the correct option, a loop is first entered that 
will be performed for the total number of redesignation options for two engines out Whenever the 
rounded value for the VI of the second failure is greater than or equal to the boundary value at an option, 
the option variable is assigned the value of the counter corresponding to that option. After the loop is 
completed, the option variable will contain the value that corresponds to the redesignation option that 
has been chosen. 

3.2.5 Late TAL Performance . Subroutine LATETAL represents the late TAL success/failure 
logic. This subroutine is called from ABTSLCT, TAL, and PRESS after an early MECO occurs in a 
region where a late TAL can be attempted. 

If the inertial velocity of the vehicle is less than that required for the earliest late TAL capability, 
a contingency abort is attempted. If the VI value is less than or equal to the boundary for the first option 
but greater than or equal to the earliest late TAL boundary value, then the vehicle is said to successfully 
land at the first late TAL site. For the subsequent late TAL options, if the VI value is less than the 
boundary value, the vehicle is said to successfully land at the late TAL site corresponding to that option. 
If the VI value is greater than the value for the last option (the option with the highest VI boundary 
value), then contingency abort will be attempted. 

3.2.6 PTM and P TA Performance . Subroutine PRESS represents the PTA and PTM 
success/failure logic. This subroutine is called from ABTSLCT when a PTA or PTM attempt is selected 
based on the ascent VI value at which there was one shutdown SSME. 

Whether a two-SSME PTA attempt or a two-SSME PTM attempt will be made is first deter- 
mined. The logic for both a two-SSME PTA and a two-SSME PTM attempt are similar to each other 
with the only difference being the two-SSME attempts. 

If a second benign SSME failure occurs during the completion of the two-SSME abort attempt, 
and there is adequate decision time between the times of the engine failures, either a crew bailout, a TAL 
droop, a one-SSME TAL to the primary site, or one-SSME PTM is attempted. If the vehicle has an iner- 
tial velocity less than that required for a TAL droop attempt, the crew bails out and the vehicle is lost. If 
a benign engine failure occurs before the completion of an attempted one-SSME abort option, the sub- 
routine LATETAL is called to determine if the vehicle successfully completes a late TAL. 

If there is not enough decision time before the second benign engine failure and if the third 
benign engine failure does not happen before the required decision time, logic similar to the case where 
the time between the first and second failures is not less than the decision time is followed. If there is not 
enough time to make a decision between either the first and the second or the second and third engine 
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failure times, the subroutine LATETAL is called to determine if the vehicle successfully completes a 
late TAL attempt 

3.2.7 Random Number Generation . Function RANDOM is the pseudo-random number gener- 
ator for the program. 

3.2.8 Exponential Distribution Value Generation . Function EXPON creates exponentially dis- 
tributed random variables. The generated random number is converted in this function to an exponen- 
tially distributed random variable by using the formula: 

EXPON = -THETA*LN(RANDOM) , (10) 


where: 

EXPON = an exponentially distributed random number 
THETA = the MTBF for the exponential distribution 
RANDOM = a randomly generated number, Unif(0..1) . 

3.2.9 Uniform Distribution Value Generation . Function UNFRM creates uniformly distributed 
random variables. The generated random number is converted in this function to a uniformly distributed 
random variable by using the formula: 

UNFRM =A+(£-A)*RANDOM , (11) 


where: 


UNFRM = a uniformly distributed random number 

A = the lowest possible value 

B = the highest possible value 

RANDOM = a randomly generated number, Unif(0..1) . 

3.2.10 SRB Time to Failure. Generation . Function SRBFT determines the failure time for the 
SRB pair. As can be seen from the code, it is first determined whether the SRB pair will fail, based on 
the probability of failure. If it is determined that it will fail, a time of failure is generated which will lie 
in the time from SRB ignition to SRB separation. If it is determined that it will not fail, the failure time 
is set to be a very high number. 

3.2.11 FT Time to Failure Generation . Function ETFT determines the failure time for the ET. 
As can be seen from the code, it is first determined whether the ET will fail, based on the probability of 
failure. If it is determined that it will fail, a time of failure is generated which will lie in the time from 
SRB ignition to nominal MECO separation. If it is determined that it will not fail, the failure time is set 
to be a very high number. 
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3.2.12 SSME Time to Failure Generation . Subroutine FLRTIME determines engine failure 
times. This function is used for calculating several different times-to-failure for the SSME’s: the time-to- 
failure for the first engine at 100 percent, the time-to-failure for the first engine at 104 percent, the time- 
to-failure for an inhibited SSME for the second failure, the time-to-failure for an enabled SSME for the 
second failure, the time-to-failure at 104 percent for an inhibited SSME for the third failure, the time-to- 
failure at 104 percent for an enabled SSME for the third failure, the time-to-failure at 109 percent for an 
inhibited SSME for the third failure, and the time-to-failure at 109 percent for an enabled SSME for the 
third failure. 

FLRTIME(l) is called to determine the failure times before a failure occurs. The engines are first 
sorted according to their times-to-failure at 100 percent. The position of the engine that experiences the 
first failure, its time-to-failure (ENGT(l)), and the criticality of the failure are the returned values. The 
engines are then sorted according to their times-to-failure at 104 percent. The position of the engine that 
experiences the first failure, its time-to-failure (ENGT(2)), and the criticality of the failure are the 
returned values. 

FLRTIME(2) is called to determine the failure times after one engine failure occurs. The 
inhibited engine at 104 percent that experiences the second failure is determined by comparing the 
inhibited engine failure times at 104 percent. The position of the second engine that failed, its time-to- 
failure (ENGT(3)), and its criticality are the returned values. The enabled engine at 104 percent that 
experiences the second failure is determined by comparing the enabled engine failure times at 104 per- 
cent The position of the second engine that failed, its time-to-failure (ENGT(4)), and its criticality are 
the returned values. 

FLRTIME(3) is called to determine the failure times after a second engine failure occurs. The 
inhibited engine at 104 percent that experiences the third failure is determined by comparing the 
inhibited engine failure times at 104 percent. The position of the third engine that failed, its time-to- 
failure (ENGT(5)), and its criticality are the returned values. The enabled engine at 104 percent that 
experiences the third failure is determined by comparing the enabled engine failure times at 104 percent. 
The position of the third engine that failed, its time-to-failure (ENGT(6)), and its criticality are the 
returned values. The inhibited engine at 109 percent that experiences the third failure is determined by 
comparing the inhibited engine failure times at 109 percent. The position of the third engine that failed, 
its time-to-failure (ENGT(7)), and its criticality are the returned values. The enabled engine at 109 per- 
cent that experiences the third failure is determined by comparing the enabled engine failure times at 109 
percent. The position of the third engine that failed, its time-to-failure (ENGT(8)), and its criticality are 
the returned values. 

3.2.13 SSME Failure Time Determination . Function T1MEF determines the corresponding 
mission times at which engine failures occur. This function is used to calculate engine failure time for 
several different conditions during a mission: the time of failure for engines exposed to prelaunch 
operation, the time of failure for the engines exposed to first stage operation, the time of the second 
engine failure, the time of failure for engines exposed to second stage operation, the time interval 
between the first and second engine failures, the time interval between the second and third engine 
failures, the time of failure of the third engine at 104 percent, the time of failure of the third engine for 
TAL redesignation option attempts, and the time of failure of the third engine at 109 percent. 

For TTMEF(l), the time of the first engine failure at 100 percent is determined. The engine with 
the earliest failure time at 100 percent, its failure time, and criticality are returned. 
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For TIMEF(2), the time of a failure for the first stage is determined. It is determined if a failure 
occurs before, during, or after the throttle-bucket based on the earliest engine failures at 100 and 104 
percent. If a failure occurs during one of the three phases, the appropriate time of the engine failure is 
determined by considering the engine times to failure at 100 and 104 percent. The returned values are 
the time of the first engine failure, the position of the engine, the criticality of failure, and a value that 
represents the number of engine failures at 104 percent. 

For TIMEF(3), the time of a second engine failure is determined by considering whether the 
engines are inhibited, and whether there was a previous engine failure at 104 percent. The returned 
values are the time of the second engine failure, the position of the engine, and the criticality of the 
failure. 


For TIMEF(4), the time of an engine failure for the second stage is determined. The failure time 
is determined by considering if a failure occurs either before pre-MECO throttle-down or during pre- 
MECO throttle-down. If a failure occurs during either phase, the appropriate time of the engine failure is 
determined by considering the engine times to failure at 100 and 104 percent. The returned values are 
the time of the first engine failure, the position of the engine, and the criticality of the failure. 

For TIMEF(5), the time between the first and second engine failures is determined by consider- 
ing whether the engines are inhibited, and whether there was a previous engine failure at 104 percent. 
The returned values are the time between the first and second engine failures, the time of the second 
engine failure, the position of the engine that fails second, and the criticality of the second engine failure. 

For TIMEF(6), the time between the second and the third engine failures is determined by con- 
sidering whether engines are inhibited. The returned values are the time between the second and third 
engine failures, the time of the third engine failure, the position of the engine that fails third, and the 
criticality of the third engine failure. 

For TIMEF(7), the time that a third engine fails while performing at 104 percent is determined 
by considering whether the engines are inhibited. The returned values are the time of the third engine 
failure, the position of the failed engine, and the criticality of the failure. 

For TTMEF(8), the time that a third engine fails while a TAL redesignation attempt is being per- 
formed is determined by considering whether the engines are inhibited and what thrust level is being 
used with the engine to complete the abort attempt. The returned values are the time of the third engine 
failure, the position of the failed engine, and the criticality of the failure. 

For TIMEF(9), the time that a third engine fails while performing at 109 percent is determined 
by considering whether the engines are inhibited. The returned values are the time of the third engine 
failure, the position of the failed engine, and the criticality of the failure. 

3.2.14 SSME Required Run Time Determination . Function TREQD determines the required 
engine run times. This function is used to calculate the required engine run times for several different 
situations: the time required for the remaining engine to run to complete a one-engine PTM, the time 
required for the remaining engine to run to complete a one-engine TAL at 104 percent, the time required 
for the remaining engine to run to complete a TAL droop, the time required for the remaining engines to 
run to complete a two-engine RTLS, the time required for the remaining engine to run to complete a 
one-engine RTLS, the time required for the remaining engines to run to complete a two-engine PTA, the 
time required for the remaining engines to run to complete a two-engine PTM, the time required for the 
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remaining engine to run to complete a one-engine TAL to a redesignation site, the time required to 
complete the throttle-bucket phase of the first stage, the time required to complete the 104-percent por- 
tion of the first stage, the time required to complete the pre-MECO throttle-down phase of the second 
stage, the time required for the remaining engines to run to complete a two-engine TAL, and the time 
required to complete the 104-percent portion of the second stage. 

For TREQD(l), the time that is required for the completion of a 1-E PTM, which is a function of 
the times of the first and second engine failures, is returned. 

For TREQD(2), the time that is required for the completion of a 1-E TAL at 104 percent, which 
is a function of the times of the engine failures and the vehicle acceleration values, is returned. 

For TREQD(3), the time that is required for the completion of a TAL droop, which is a function 
of the times of the engine failures and the vehicle acceleration values, is returned. 

For TREQD(4), the time that is required for the completion of a 2-E RTLS, which is a function 
of the time of the engine failure, is returned. 

For TREQD(5), the time that is required for the completion of a 1-E RTLS, which is a function 
of the times of engine failures, is returned. 

For TREQD(6), the time that is required for the completion of a 2-E PTA, which is a function of 
the time of the engine failure, is returned. 

For TREQD(7), the time that is required for the completion of a 2-E PTM, which is a function of 
the time of the engine failure, is returned. 

For TREQD(8), the time that is required for the completion of a 1-E TAL to a redesignation site, 
which is a function of the times of the engine failures and the acceleration values, is returned. 

For TREQD(9), the time that is required for the engines to operate at 100 percent during the 
prelaunch and the first stage is returned. 

For TREQD(IO), the time that is required for the engines to operate at 104 percent during the 
first stage is returned. 

For TREQD(1 1), the time that is required for the engines to operate at 100 percent during the 
second stage is returned. 

For TREQD(12), the time that is required for the completion of a 2-E TAL, which is a function 
of the vehicle’s acceleration, is returned. 

For TREQD(13), the time that is required for the engines to operate at 104 percent during the 
second stage is returned. 

3.2.15 Vehicle’s Black Zone Status Determination . Function BLKZONE determines whether or 
not the vehicle is in a three-engine out black zone. 


24 



As can be seen from the code, this subprogram compares the VI at the time of the third engine 
failure with the boundaries of the black zone VI boundaries for three-SSME’s out. The vehicle is said to 
be in a black zone if the VI at the time of the third engine failure is greater than or equal to 8,000 and 
less than or equal to 18,000. 

3.2.16 Vehicle Inertial Velocity Determination . Function VI determines the inertial velocity 
which corresponds to the engine failure times. This function is used to calculate the vehicle’s inertial 
velocity for various engine failure situations: the inertial velocity of the vehicle at the time of the first 
engine failure, the inertial velocity at the time of the second engine failure, the inertial velocity at the 
time of the third engine failure for the last engine functioning at 104 percent, and the inertial velocity at 
the time of the third engine failure for the last engine functioning at 109 percent. 

For VI(1), the vehicle’s inertial velocity at the time of the first engine failure, which is a function 
of the ascent trajectory coefficients, is returned. 

For VI(2), the vehicle’s inertial velocity at the time of the second engine failure, which is a func- 
tion of times of the engine failures and the acceleration values, is returned. 

For VI(3), the vehicle’s inertial velocity at the time of the third engine failure for the last engine 
functioning at 104 percent, which is a function of the times of engine failures and the acceleration 
values, is returned. 

For VI(4), the vehicle’s inertial velocity at the time of the third engine failure for the last engine 
functioning at 109 percent, which is a function of the times of the engine failures and the acceleration 
values, is returned. 


IV. SAMPLE APPLICATION 

Data were input into the simulation program to determine the frequency of occurrence of the 
various ascent/abort options for the flight of STS-32. The results are limited by the assumptions and may 
indicate where further refinement of the shuttle system element models, ascent trajectory, or abort mode 
models are required. The results presented are for the purpose of demonstrating the use of the program 
only and are not official NASA estimates of probabilities. The summary from the simulation is shown in 
appendix I. 

4.1 Model Input 

Data for the simulation were obtained from the ascent checklist — STS-32 flight supplement, 
SSME reliability studies, ET and SRB reliability studies, and mission duration information. The input 
data used are as follows: 

Number of simulations: 1,000,000 

TAL Sites : 

Primary two-engine TAL site: 

Primary one-engine TAL site: 

Primary TAL droop target: 

Last two-engine TAL site: 

First late TAL site: 

Second late TAL site: 


Ben Guerir (BEN) 
Banjul (BYD) 

Banjul 

Moron (MRN) 

Amilcar Cabral (AML) 
Banjul 
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Third late TAL site: 

Kinshasa (KIM) 

Fourth late TAL site: 

Hoedspruit (HDS) 

First TAL redesignation option: 

Droop to Banjul 

Second TAL redesignation option: 

TAL to Banjul 

Third TAL redesignation option: 

TAL to Ben Guerir 

VI Boundary Values (ft/s) 

Two-engine to primary TAL: 

6,200 

MECOforTAL: 

24,000 

Nominal MECO: 

25,918 

Negative return: 

8,400 

Two-engine Press to ATO: 

9,600 

Two-engine Press to MECO: 

13,900 

One-engine Press to MECO: 

16,800 

One-engine to primary TAL: 

13,700 

TAL droop to primary target: 

12,000 

Last two-engine TAL: 

13,500 

First late TAL: 

22,700 

Second late TAL: 

24,500 

Third late TAL: 

25,200 

Fourth late TAL: 

25,500 

Earliest late TAL: 

22,000 

Lower black zone boundary: 

8,000 

Upper black zone boundary: 

18,000 

First Engine-Out TAL Redesienation Increments fft/sl 


1 

6,200 

11 

7,200 

21 

8,200 

31 

9,200 

2 

6,300 

12 

7,300 

22 

8,300 

32 

9,300 

3 

6,400 

13 

7,400 

23 

8,400 

33 

9,400 

4 

6,500 

14 

7,500 

24 

8,500 

34 

9,500 

5 

6,600 

15 

7,600 

25 

8,600 



6 

6,700 

16 

7,700 

26 

8,700 



7 

6,800 

17 

7,800 

27 

8,800 



8 

6,900 

18 

7,900 

28 

8,900 



9 

7,000 

19 

8,000 

29 

9,000 



10 

7,100 

20 

8,100 

30 

9,100 




Droop to BYD TAL (109 percent) Rede signation Option (ft/s) 


1 

10,900 

11 

11,100 

21 

11,300 

31 

11,500 

2 

10,900 

12 

11,200 

22 

11,300 

32 

11,500 

3 

11,000 

13 

11,200 

23 

11,400 

33 

11,500 

4 

11,000 

14 

11,200 

24 

11,400 

34 

11,500 

5 

11,000 

15 

11,200 

25 

11,400 



6 

11,000 

16 

11,200 

26 

11,400 



7 

11,000 

17 

11,300 

27 

11,400 



8 

11,100 

18 

11,300 

28 

11,400 



9 

11,100 

19 

11,300 

29 

11,400 



10 

11,100 

20 

11,300 

30 

11,500 
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BYD TAL H 04 percent) Redesienation Potion (ft/s) 


1 



11 

— 

21 

13,900 

31 

2 



12 

— 

22 

13,900 

32 

3 



13 

— 

23 

13,800 

33 

4 



14 

— 

24 

13,800 

34 

5 



15 

— 

25 

13,800 


6 



16 

14,300 

26 

13,700 


7 



17 

14,200 

27 

13,700 


8 



18 

14,100 

28 

13,700 


9 



19 

14,000 

29 

13,700 


10 

— 

20 

13,900 

30 

13,700 



BEN TAL (109 percent) Redesignation Potion (ft/s) 


1 

16,400 

11 

14,900 

21 

14,000 

31 

2 

16,300 

12 

14,800 

22 

14,000 

32 

3 

16,100 

13 

14,700 

23 

13,900 

33 

4 

16,000 

14 

14,600 

24 

13,900 

34 

5 

15,800 

15 

14,400 

25 

13,900 


6 

15,700 

16 

14,300 

26 

13,900 


7 

15,500 

17 

14,300 

27 

13,800 


8 

15,400 

18 

14,200 

28 

13,800 


9 

15,200 

19 

14,100 

29 

13,800 


10 

15,100 

20 

14,100 

30 

13,800 



Element Failure Probabilities 

SRB pair failure: 1/258 

ET failure: 1/10,000 

SSME Time-to-Failure Parameters 


Benign failures (100 percent): 22,277.7 s 

Benign failures ( 104 percent): 22,889.6 s 

Benign failures (109 percent): 9,744.1 s 

Catastrophic failures (100 percent): 149,693.5 s 

Catastrophic failures (104 percent): 77,252.4 s 

Catastrophic failures (109 percent): 13,181.1 s 

Launch/ Ascent Phase Times (s) 

Duration of the prelaunch phase: 6.6 

Beginning of “throttle bucket”: 25 

End of the “throttle bucket”: 70 

Time of SRB separation: 130 

Time of RTLS capability: 1 50 

Beginning of throttle down: 460 

TimeofMECO: 516 


13,600 

13,600 

13,600 

13,600 


13,800 

13,800 

13,700 

13,700 
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Vehicle Acceleration Values (ft/s 2 i 


Two functioning SSME’s 

104-percent thrust: 44.31 

One functioning SSME 

104-percent thrust: 22.16 

109-percent thrust: 23.23 

Required Decision Time 

15 s 

Enable/Inhibit S witch Status 
Enabled 

4.2 Model Output 

The frequency of occurrence of the ascent and abort events during the mission phases and abort 
modes (for 1,000,000 simulations) are as follows: 

Prelaunch 


On-pad shutdown 802 

Catastrophic SSME failure 2 

First Stage 

Crew bail-out 142 

Catastrophic SSME failure 4,197 

ET failure 2 

SRB failure 2,921 

Second Stage 

Nominal ascent 914,416 

Successful one-engine TAL to BYD 36 

Successful TAL droop to BYD 35 

Successful one-engine PTM 2 

Crew bail-out 110 

Catastrophic SSME failure 13,338 

Return to L aunch Site 

Successful two-engine RTLS 20,017 

Successful one-engine RTLS 1,333 

Catastrophic SSME failure 327 
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Successful two-engine TAL to Ben 
Successful redesignation TAL droop to BYD 
Successful redesignation TAL to BEN 
Crew bail-out 
Catastrophic SSME failure 

Press to MECO and Abort to Orbit 

13,191 

107 

219 

74 

37 

Successful two-engine PTM 

1,198 

Successful two-engine ATO 

514 

Successful one -engine PTM 

361 

Successful one -engine TAL to BYD 

145 

Successful TAL droop to BYD 

36 

Crew bail-out 

35 

Catastrophic SSME failure 

73 


4.3 Results 

For the sample application that was considered, several interesting observations can be made. 
The results showed that the shuttle achieved orbit without problems 91.442 percent of the time. The 
system was safely shut down on the pad 0.080 percent of the time. An ET failure occurred 0.0002 
percent of the time, and an SRB failure occurred 0.292 percent of the time. The vehicle successfully 
completed an abort 6.352 percent of the time. Catastrophic main engine failures occurred 1.797 percent 
of the time. The crew survived by bailing out of the vehicle 0.036 percent of the time. The crew and 
vehicle survived the performance of abort attempts 99.147 percent of the time. 


V. SUMMARY AND CONCLUSIONS 


5.1 Conclusions 

The model developed was a significant effort toward the use of probabilistic characterization of 
the performance of the space shuttle in relation to its abort modes. The model allows the estimation of 
percentages of occurrences of various abort options for provided input for a mission. 

The computer program that was developed can be used to analyze the effects of the variation in 
parameters on the space shuttle performance of abort modes. The program can be used to analyze 
specific missions or the general effect of parameter variations on the space shuttle missions. 

5.2 Recommendations for Future Research 

The model that has been developed is intended to be a first step toward the development of a 
simulation model for the analysis of space shuttle aborts. Future work should be performed in relation to 
the following areas: 


29 



1. Incorporation of abort modes that are initiated for system failures 

2. Refinement of the approaches that were used to estimate the performance of abort options 

3. Expansion of the model to include other mission phases, such as aborts that occur from orbit 

4. Improvement of the propulsion element failure models. 

5. Incorporation of the use of a more accurate probability distribution, such as a Weibull 
distribution, into the program code to provide for a more accurate representation of the time 
to failure behavior of the SSME’s. 
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APPENDIX A 


Ascent Checklist — STS-32 Flight Supplement 


No Comm Mode Boundaries card definitions: 


NEG RETURN (104) 
PRESS TO ATO (104) 
DROOP BYD (109) 
PRESS TO MECO (104) 
LAST MRN (104) 

SE BYD (104) 

LAST BEN (104) 

SE PRESS (104) 

LAST AUTO BYD 
2 or 3 engine (65) 


1 engine (104) 

LAST LATE TAL BYD 
LAST LATE TAL KIN 
LAST LATE TAL HDS 
2 ENG BEN (104) 
ABORT TAL BEN 
EO VI 

DROOP AML (109) 

SE BYD (109) 

SE BEN (109) 

2 ENG MRN (104) 
ABORT TAL MRN 
EO VI 

DROOP GDV (109) 
SE BYD (109) 

SE BEN (109) 

SE MRN (109) 


= Last RTLS capability 

= First two-engine Press-to- ATO capability 

= First TAL droop capability at 109-percent RPL 

= First Press-to-MECO capability at 104- percent RPL 

= Last two-engine TAL to Moron capability 

= First one-engine TAL to Banjul capability at 104-percent RPL 

= Last two-engine TAL to Benguier capability 

= First one-engine Press-to-MECO capability at 104-percent RPL 

= Last Auto TAL capability to Banjul with two or three engines at 
65-percent RPL 

= Last Auto TAL capability to Banjul with one engine at 
104-percent RPL 

= Last late TAL to Banjul capability 
= Last late TAL to Kinshasa capability 
= Last TAL to HDS capability 

= First two-engine TAL capability to Benguier at 104-percent RPL 

= VI value at the time of the first engine failure 
= TAL redesignation value for the first TAL droop capability at 
109-percent RPL ^ 

= TAL redesignation value for the first one-engine TAL capability 
to Banjul at 109-percent RPL 

= TAL redesignation value for the first one-engine TAL capability 
at Benguier at 109-percent RPL 

= First two-engine TAL capability to Moron at 104-percent RPL 

= VI value at the time of the first engine failure 
= TAL redesignation value for the first TAL droop capability at 
109-percent RPL 

= TAL redesignation value for the first one-engine TAL capability 
to Banjul at 109-percent RPL 

= TAL redesignation value for the first one-engine TAL capability 
to Banguier at 109-percent RPL 

= TAL redesignation value for the first one-engine TAL capability 
to Banguier at 109-percent RPL 


rwcininr page blank not filmed 
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BAILOUT 

EGRESS 


+ 



TOP 

BACK OF 'EGRESS (COR & PIT)' 
SYS FLIGHT RULES 


TAiy 

RTLS LATETAL 


OMS-2 HeTKs 


X 

1 OX & 1 FU TKS (diff pods) 


X 

2 OX or 2 FU TKS 


X 

APU/HYD - 2 + & 1 failing 

X 

X 

CABIN LEAK • dp/dt > .15 

X 

X 

CRY0-AII0 2 (H 2 ) 

X 

X 

... 

2 FREON LOOPS + 

X 

X 

2 MAIN BUSSES ♦ 

X 


THERMAL WINDOW PANE 

X 



NO COMM MODE BOUNDARIES 


NEG RETURN (104) 

8400 

PRESS TO ATO (104) 

9600 

0R00P BYO (109) 

12000 

LAST MRN (104) 

13500 

SE BYD (104) 

13700 

PRESS TO MECO (104) 

13900 

SE PRESS (104) 

16800 

LAST BEN (104) 

17600 

LAST AUTO BYD 
2 or 3 engine (65) 
1 engine (104) 

20000 

21500 

LAST LATE TAL 
AML 
BYO 
KIN 
HOS 

22700 
24500 
25200 j 
25500 


2 ENG BEN (104) 6200 

ABORT TAL BEN 
EO VI 

(2) 

1, 1 

DROOP BYO (109) (5) 
SE BYD (104) (5) 
SE BEN (109) (2) 

1 1 

1 

1 


2 ENG MRN (104) 6800 

ABORT TAL MRN (3) 

EO VI 


DROOP BEN (109) (2) 


SE BEN (104) (2) ( | 

SE BYD (104) (5) | ] 

SE MRN (109) (3) | 


FB 2-4 


ASC/32/FIN A 



RTLS 


TOP 

BACK OF 'RTLS PIT' 


PILE 


AUTO TAL CDR 

ABORT TAL f 

* No joy: CfiH] TAL A80RT * 

* If GUIO unconverged: * 

* CSS, 9 * 60 s , p * 0 * 

* When 9 C vo s 60°: AUTO * 
lG50l SEL SITE, RWY (PASS/BFS) 

ite RWY tacans 

2 SEN 36 SEN 1 18 - CBA 1 16 (DME) 

BENIA 9£N’18 - CaA116(0ME) 

J MRN 21 MRN 100 • AOG 23 

MRN 03 MRN ’00 • AOG 23 

3Y0 32 
8Y0 14 


LENGTH 


9EN 118 - 
9£N”8 - 

MRN 100 • 
MRN '00 • 

3YD 121 Y 
3 YD 1 2 1 y 


8J76 (DME) 
8 J 76 (DME) 


Vr-. I1S.4K I Roll to Heads Up 

/AUTO THROT f , 

— MECO BFS - C/0 BUG (Vi approx I 24.QK1 ) - MECO 


MECO+18 /ET SEP, /AUTO -Z TRANS 

MECO+35 /MM 104 

/P*10t30, Y=0±30; RATES < .5 # /sec 
/ET OOORS MOVING 
PASS OPS 301 PRO (Start watch) 

* No joy in 68 sec: BFS - ENGAGE * 
+ BFS, OPS 301 PRO * 

MM304 


V * 10 


/P,Y - SPDBK, BOY FLP - AUTO 
B£S. OPS 301 PRO (/MM304) 
/^OlSPOBK. ITEM 39 
/Bugs, HOG, RANGE, a * 40* 

* Low energy: CSS, a * 40* * 

* . WINGS LVL * 

* At H = 0: fly a - 31° * 

* Maintain AAZ s 20 * 


WINDS 


Adjust seat 
/SPDBK - 81* 


SURF 

SPDBK 0 3000 FT 



/TACAN MOOE (three) - GPC 


V * 5 AIR DATA PROBES (two) - DEPLOY, (/Heat) 

/RUO, AIL TRIM 

M = 3.2 /SP08K - 65% 

M » 2.7 HUO PWR (two) - ON 

M * 2.0 Ensure ADTA to G&C else THETA limits 

M * 0.9 P,R/Y - CSS, SPOBK - MAN (as reqd) 

/NWS - GPC 

POST LANOING: ENT C/L, POST LANDING 

FB 2-14 ASC/32/FIN A 
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AUTO 

TAL 


t 



TOP 

BACK OF 'AUTO TAL PLT' 

LATE TAL COR 


-h 


a - «0/3l 
22.0 22.7 23.1 


AML 

<9> 


MEC 
MECO+23 


V r . 124.QKIME SHUTDN pb (three) - push 
* x If 1 SSME out at PTA, subtract 200 fps * 

HA* HP > 

AO £^ AOA-S 

* KIN (6) M 


24.3 

k 


BYO(5) 


24.5 

-4 


QMS -Oft 


h« (4). OP 
I CS 1 1 ENAICNCT 


24.6 

ENAICNCT 


25.5 


OMS'OFP 
He (4). OP 
248 

L HOS (7) /MCf 


25.2 


ENAICNCT | QM5-OPP . 


/ET SEP, /AUTO -Z TRANS 

/MM 104 

/P « 10±30, Y « 0+30; RATES < .57sec 
/ET DOORS MOVING 


25.0 He (4). OP 


MM304 - - P - A - S - S . -°- P . S - - 3 - 0 - 1 - -tJ04_PR0 MM304 


S»TE 

RWY 

I’ACANS 

MLS 

LENGTH 

5 

8Y0 32 

8Y0121Y * BJ 76 

[OME, 


6 

10420 


0YO 14 

0YO121Y • 8J 76 

OME 

_ 


10420 

6 

ROB 04 

ROB 85 (OME) 



11160 


KIN 25 

8Z 78 (OME) 

- 


15510 

7 

KKI IS 

RIY 92 



13700 


HOS 18 

HS 73 (DME) — 


13120 

9 

AML 02 

CVS lOO(DME) 

:: 1 

• 

10890 


DON 29 

ON 84 

1 

• 

11260 


PASS Cfiia SEL SITE, RWY 
BFS OPS 301 - 304 PRO 
BFSfGSa SEL SITE, RWY 


★ 

* 

★ 

+ 


Low energy: CSS, a * 40* 
# WINGS LVL 

At H - 0: fly a * 31° 
Maintain AAZ s 20 


★ 

* 

* 

* 


SHORT SPOBK, 
ITEM 39 EXEC 
Adjust seat 

V - 10 /SPDBK - 81% 


50K 
40 
30 

WINDS 20 
7 

SURF 

SPDBK 9 3000 FT 


i. 


3.2 

2.7 

2.0 

0.9 


AIR DATA PROBES (two) - OEPLOY (/Heat) 

/RUO, AIL TRIM 

/SPDBK - 65% 

HUO PWR (two) - ON 


Ensure ADTA to G&C else THETA limits 
P,R/Y - CSS 
/NWS - GPC 

POST LANOING: ENT C/L, POST LANDING 


FB 2-16 


ASC/32/FIN A 


+ 
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CAROS 


I 


I 


ASCENT ADI -NOMINAL 
(32 CY 2R) 


TIME 

9 

H 

H 

:30 

70 

640 

9K 

: 50 

64 

940 

25K 

1:10 

60 

1360 

47K 

1:30 

43 

1880 

80K 

1:50 

35 

2250 

122K 


HOO» 

velcro 


\ HOOIC 
VELCRO 

fl s % . : 


-SIAfilflLi 


V ] 

9 

H 

H 

6 

IT 

1800 

38nm 

7 

16 

1330 

48 

8 

13 

960 
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MRN TAL REDESIGNATION 
(32 CY 2R) 

NOTE: OROOP IS 1091 THROTTLE: 

TOR 104X THROTTLE. ROD 300 FPS 
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APPENDIX B 


Enable/Inhibit Switch Model 


From conversations with engineers familiar with the SSME, there were two general observations 
about the performance of the SSME’s with the switch in the inhibit position in relation to the perform- 
ance of the SSME’s with the switch in the enable position: 

1. Approximately 50 percent of the failures that would have resulted in engine shutdown due to 
red-line exceedence for the enabled engine case would lead to catastrophic engine failure in the inhibited 
engine case. 

2. The percentage of benign failures that occur in the inhibit situation is a small percentage of 
the total number of failures. The number of benign failures for the inhibited situation is about 1 percent 
of the number of benign failures for the enabled situation. 

Solving for the time-to-failure parameter estimates for the inhibited engines: 

Using the exponential distribution, 


R(t) = exp(-L*0 = exp(-i/P) , 

where 


R(t) = reliability at time t 
L = failure rate 
P = mean time to failure . 

For catastrophic failures of inhibited engines: 

1 -Mc)(t) = m*(\-R(eb)(t)) 

l-exp(-t/P(ic)) = \/2*(l-exp(-t/P(eb))) 

exp(-t/P(ic)) = l/2+l/2*exp (~t/P(eb)) 

-t/P(ic) = ln( 1/2 *( 1 +exp(-t/P(eb)))) = ln( l/2)+ln( 1 +exp(-t/P(eb))) 

P(ic ) = -r/(ln( l/2)+ln( 1 +exp(-t/P(ib)))) 

P(ic) = -t/(-0.693+ln(l+exp(-<^(«b)))) , 

where: 

t = time of the engine’s exposure at the power level 

ic = parameter for catastrophic failures of an inhibited engine 

eb = parameter for benign failures of an enabled engine. 
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Since the catastrophic failures of an inhibited engine can result from either catastrophic failures that 
would have occurred in an enabled engine or catastrophic failures that are due to the engine being 
inhibited, 

L(ict) = Ujc)+LAec) 

P(ict) = (P(ic)*(P(ec))/(P(ic)+P(ec)) , 

where 

ict = the parameter for the total catastrophic failures of inhibited engines. 

For benign failures of an inhibited engine: 

1 -R(ib)(t) = l/100*(l-/?(e£)O» 
l-exp(-j */P{ib)) = 1 / 1 00-1/ l00*exp(-t/P(eb)) 
exp (~t/P(ib)) = 99/1 00+ 1 / 1 0Q*exp(-i/P(eb)) 

-t/P(ib) = ln((l/100)*(99+exp(-//P(^)))) 

P(ib) = -t/(-4.6Q5ll+\n(99+exp(-t/P(eb )))) . 

Estimating the engine power level exposure time: 

Using typical values: 

r(100) = 110 s 
r(104) = 405 s 
r(109) = 350 s . 

Time-to-failure parameter estimate functions for inhibited engines: 

Benign, 100 percent: P = -1 1 0/M.605 1 7+ln(99+exp(-l 10 /P(eb)))) 

Benign, 104 percent: P = -405/M.60517+ln(99+expM05// > (^)))) 

Benign, 1 09 percent: P = -350/M.605 1 7+ln(99+exp(-350/P(^/>)))) 

Catastrophic: P = (P(ic)*P(ec))/(P(ic)+P(ec)) , 

where 

100 percent: P(ic ) = -1 10/(-0.693+ln(l+exp(-l 10 /P(eb)))) 

104 percent: P(ic) = -405/(-0.693+ln( 1 +exp(-405// > (efc)))) 

109 percent: P(ic) = -350/(-0.693+ln( 1 +exp(-350/P(^)))> 
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ENABLE/INHIBIT SWITCH LOGIC SUMMARY 
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1EO ■ 1st SSME failure 

2EO ■ 2nd SSME failure 

E - Switch in Enable position 

I - Switch in Inhibit position 


ENABLE/INHIBIT SWITCH MODEL FLOWCHART 
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Enabled failure time Enabled failure time 








APPENDIX C 


Vehicle Ascent Model 

The vehicle ascent model was an attempt to determine the inertial velocity of the vehicle as a 
function of the time in the ascent. Ascent simulation information for STS-27 and STS-29 was 
referenced. Curves were fit to the VI versus t data for the second stage for each of the missions. It was 
determined that an exponential function provided a good fit to both sets of data. The function is of the 
form: 

VI = exp(a+b*r) . 
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Regression of STS27 on T 


(X 1008) 
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Regression Analysis - Exponential model: Y = exp(a+bX) 
Dependent variable: STS27 


Independent variable: T 


Standard T Prob. 

Parameter Estimate Error Value Level 


Intercept 7.94512 6.5458E-3 1213.77 .00000 

sl °P e 4 . 32715E-3 1.93531E-5 223.59 .00000 


Analysis of Variance 


Source 

Model 

Error 

Sum of Squares 
4.269 
.001452 

Df 

1 

17 

Mean Square 
4.269 
.000085 

F-Ratio Prob. 
49992.44 

Level 

.00000 

Total (Corr.) 

4.270571 

18 




Correlation Coefficient = 0.99983 
Stnd. Error of Est. = 9.24096E-3 


R- squared = 

99.97 percent 
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Regression Analysis - Exponential model: Y - exp(a+bX) 


r indent 

variable: STS29 



Independent variable: T 

Parameter 

Estimate 

Standard 

Error 

T 

Value 

Prob. 

Level 

Intercept 

Slope 

7.69441 
4 . 75395E-3 

3 . 73546E-3 
1 . 10441E-5 

2059.83 

430.451 

. 00000 
. 00000 


Source 

Model 

Error 


Total (Corr.) 


Analysis of Variance 


Sum of Squares 
5.15 
.000473 

Df 

1 

17 

Mean Square 
5.15 
.000028 

F-Ratio 

185287.7 

Prob. Level 
.00000 

5.153279 

18 





Correlation Coefficient = 0.999954 
Stnd. Error of Est. = 5.2735E-3 


R-squared = 


99.99 percent 
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APPENDIX D 


Vehicle Acceleration Estimation 

comhin^ e inf Celer f ti0I1 f 0f the S u S /t hiCle for the TAL ’ PTA ’ and P™ abort modes was estimated by 
combining information from each of the abort modes to arrive at an estimate that could be used to 

™ 0f T- The , Sources that were referenced 10 oblata acceleration eltimale 

were Slb-31 TAL simulation data and the Briscoe presentation material. 

Estimating the vehicle acceleration for TAL, PTA, and PTM attempts: 

For TAL attempts (fig. D- 1): 

For a 2-E TAL initiated at 186 s MET, 

ACC = dVI/dT = 34.09 ft/s 2 . 

For a 2-E TAL initiated at 328 s MET, 

ACC = dVI/dT = 47.24 ft/s 2 . 

Estimating the acceleration for a 2-E TAL with the engines functioning at 104-percent RPL, 

ACC{TAL) = (34.09+47.24)/2 = 40.7 ft/s 2 . 


For PTM attempts: 

Using STS-26 data from reference 1 : 


7meco = 516 s 
TOnit.) = 320 s 
Tfcomp.) = 600 s , 

where 


7meco = time of nominal MECO 
r(init.) = time of the 2-E TAL at 104-percent initiation 
7’(comp.) = time of the 2-E TAL at 104-percent completion 
From the previous, 

V/(init.) = exp(a+Z?*320) . 


From the STS-26 data. 


a = 7.97 


b = 0.0042766 
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V7(init.) = 11,367 ft/s. 


Similarly, 

V7meco = exp(a+b*516) , 

V/meco = 26,284 ft/s . 

Estimating the acceleration for a PTM attempt, 

ACCiPTM) = (V7meco-V7(init))/(7Xcomp.)-7taeco) = (26,284-1 1,367)/(600-320) 

ACC(PTM) = 46.6 . 

For a 2-E PTM with the engines functioning at 104-percent RPL, 

ACCiPTM) = 46.6 ft/s 2 . 


For PTA attempts: 

Using a similar approach as was used in determining the PTM acceleration estimate value, 

Tmeco = 516 s 
T(init.) = 281 s 
T(comp.) =619 . 

V/meco = 26,284 ft/s 
V7(init.) = 9,621 ft/s . 

For a 2-E PTA with the engines functioning at 104-percent RPL, 

ACC{PTA) = 49.3 ft/s . 

Combining the TAL, PTA, and PTM results to obtain an overall estimate, 

ACC = (ACC(TAL)+ACC(PTA )+ACC(PTM))/l = (40.7+46.6+49.3)/3 

ACC = 45.5 ft/s 2 . 

Assuming that the vehicle’s acceleration is proportional to the number of engines functioning and the 
power level at which the engines are performing, 

ACC(Engines,%RPL) = (Engines/2)*(%RPL/104)*ACC(2,104) 

= (Engines/2)*(%RPL/104)*45.5 , 
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where 

Engines = number of engines functioning 

%RPL = percent of the RPL at which the engines are functioning. 

The acceleration values that will be used for the vehicle for the abort options at the various number of 
functioning engines and engine power levels are therefore: 

ACC{ 1,104) = 22.8 ft/s 2 

ACC{\,\ 09) = 23.8 ft/s 2 

ACC( 2,104) = 45.5 ft/s 2 . 
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2-E TAL to Moron 

VI vs. MET 
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APPENDIX E 


RTLS Model Development 

The RTLS model involved determining the time that would be required to complete an RTLS 
based on the vehicle’s current situation. Data sources that were referenced during the development of the 
model were the Flight Procedures Handbook — Ascent/ Aborts and STS-31 RTLS simulation data. 

Developing the RTLS required to complete model: 

From the Flight Procedures Handbook, it appears that an RTLS attempt can be divided into two phases, 
the fuel dissipation phase and the flyback and powered pitchdown phase. 

T(reqd) = T(fd)+T(fb and PPD) , 

where 

T(reqd) = time required for RTLS completion 
T(fd) = time required for fuel dissipation 

T{fb and PPD) = time required for flyback and powered pitchdown. 

From the data (fig. E-l), 

Tijb and PPD) -C- 350 s 

Tifd) = b+m*Tiimt) = (270/(T(L.RTLS)-7T(E,RTLS//m(L./?7’LS)-7’(init.)) , 

where 

T(init) = time of RTLS initiation 

7XL.RTLS) = time of last RTLS capability 

T(E,RTLS) = time of earliest RTLS initiation capability . 

Since the VI value for the last RTLS is given (from the no comm mode boundary cards), 

VI(Last RTLS) = exp(a+fc*71(last RTLS)) , or 
T(LastRTLSHln(VI(LastRTLS))-fl)/b , 

where 

VI(Last RTLS) = the VI value for last RTLS capability. 
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The required remaining run time for engines for the successful completion of a two-SSME RTLS abort 
is therefore: 


7Treqd(2-E RTLS) = 350+(270/(7IL.RTLS)-7T£.RTLS)))*(71(L.RTLS)-7’(init.)) . 

For the completion of an RTLS attempt with one function SSME, the thrust of the remaining engine is at 
109 percent. Assuming that the acceleration of the vehicle ( dVI/dT) is proportional to the number of 
engines functioning and the power level of the engines, we obtain: 

7reqd(l-E RTLS) = (7reqd(2-E RTLS)-T(second failure ))*((2* 104)/( 1 * 109)) , 


where 


T(second failure) = the time of the second SSME failure relative to the beginning of the 2-E 
RTLS attempt 

The required remaining run time for the remaining engine with it function at 109-percent RPL is 
therefore: 

7reqd(2-E RTLS) = 1.91*(7reqd(2-E RTLS)-7(second failure)) . 
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2-E RTLS 

VI vs. MET 



Init. at 150 1 Init. at 261 








APPENDIX F 


TAL Model Development 


The TAL model is used to determine the vehicle’s inertial velocity as a function of the times of 
the engine failures. TAL situations that were considered were 2-ENG TAL attempts at 104 percent to the 
primary site, 1-ENG TAL attempts at 104 percent to the primary site, 1-ENG TAL attempts at 104 
percent to a redesignation site, and 1-ENG TAL attempts at 109 percent to a redesignation site. The 
estimates of the vehicle’s acceleration are used in the model. 

Developing the TAL VI =f { time of engine failure) model: 

For a 2-ENG TAL attempt at 104 percent: 

VI = VI( 1 stEO)+(T(2ndEO)-T( 1 stEO))*A CC(2-ENG at 104 percent) , 

where 


VI(lstEO) = inertial velocity at the time of the first engine failure 
T(2ndEO) = time of the second engine failure 
TflstEO) = time of the first engine failure 

ACC(2-ENG at 104 percent) = the vehicle’s acceleration with two engines functioning at 

104 percent. 

For a 1-ENG TAL attempt at 104 percent: 

VI = VI( 1 stEO)+( T(2ndEO)-T( 1 stEO)) *ACC(2-ENG at 104 percent) 

+( 7’(3rdEO)-7'(2ndEO)) *A CC( 1 -ENG at 104 percent) , 

where 


T(3rdEO) = time of the third engine failure 

ACC( 1-ENG at 104 percent) = vehicle’s acceleration with two engines functioning at 

104 percent. 

For a 1-ENG TAL attempt at 109 percent: 

VI = VI( 1 stEO)+(T(2ndEO)-r( 1 stEO)) *ACC(2-ENG at 104 percent) 
+(T(3rdEO)-T(2ndEO))*ACC(l-ENG at 109 percent) , 


where 


ACC(1-ENG at 109 percent) = vehicle’s acceleration with two engines functioning at 

109 percent. 
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APPENDIX G 


PTA and PTM Model Development 

The PTA and PTM models involved determining the time that would be required to complete a 
PTA and PTM based on the vehicle’s current situation. Abort situations that were considered were 
2-ENG PTM and PTA attempts at 104 percent and a 1-ENG PTM attempt at 104 percent. 

Developing the PTA and PTM required time to completion model: 

For a 2-ENG PTM attempt: 

Assumption: For a PTM attempt to be successful, the vehicle must attain the VI that would have 
been attained at the time of MECO for a nominal ascent. 

Using the vehicle performance model, 

VI(MECO) = exp(a+b*7MECO) , 

where 

a,b = VI versus t profile parameters 
7MECO = time of MECO. 

Assumption: The acceleration of the vehicle is proportional to its thrust. 

ACC(2E,104%) = 2/3 *104/1 04*ACC(3E, 1 04%) 

VI(MECO) =ACC( 3E,104%)*(7MECO = A CC(3E, 1 04%) * T\ 1 stEO)+A CC(2E, 1 04% ) * 7reqd , 
where 

Treqd = required remaining run time for the two remaining engines 
T(MECO) = T( 1 stEO)+2/3 * 7reqd 
7reqd = 3/2*(7(MECO)-7UstEO)) . 

For a 2-ENG PTM: 

Treqd = 3/2*(7TMECO)-7flstEO)) . 

Fora 1-ENG PTM attempt: 

ACC(3E,104%)*7MECO =ACC(3E,104%)*7\lstEO)+ACC(2E,104%) 

* (T(2ndEO)-( 1 stEO))+ACC( 1 E, 1 04% ) * 7reqd , 
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7MEC0 = 7(lstEO)+2/3*(T(2ndEO)-7UstEO))+l/3*7’reqd , 

7reqd = 3 * 7MECO-2 *7(2ndEO)-7'( 1 stEO) . 

For a 2-ENG PTA attempt: 

Assumption : The inertial velocity required for PTA completion is about the same as the inertial 
velocity required for PTM completion. 

Using the same procedure as for the PTM case, 

7reqd = 3/2*(7MECO-7T(lstEO)) . 
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APPENDIX H 


STS Ascent/Abort Event Tree Diagram 


Definition of Symbols 


Symbol 

Definition 

A1 

First anomaly occurs 

A2 

Second anomaly occurs 

AT02 

Successful 2-SSME ATO 

BZN 

Vehicle is in a black zone 

BZY 

Vehicle is not in a black zone 

B9 

Benign SSME failure 

Cl 

Catastrophic SSME failure 

DTME21 

Time between ME2 and ME1 

DTME32 

Time between ME3 and ME2 

ET 

ET failure 

LC 

Loss of vehicle and crew 

LV 

Loss of vehicle — crew bailout 

ME1 

First SSME failure 

ME2 

Second SSME failure 

ME3 

Third SSME failure 

NTM 

Nominal ascent to MECO 

OP 

On-pad engine shutdown 

PTM1 

Successful 1-SSME PTM 

PTM2 

Successful 2-SSME PTM 

RTLS1 

Successful 1-SSME RTLS 

RTLS2 

Successful 2-SSME RTLS 

SRB 

SRB failure 

TA1 

Time of first anomaly 

TA2 

Time of second anomaly 

TA3 

Time of third anomaly 

TAL2 

Successful 2-SSME TAL 

TDEC 

Required decision time 

TDP 

Successful TAL droop 

TL1P 

Successful primary 1-SSME TAL 

TLR1 

Successful first redesignation site TAL 

TLR2 

Successful second redesignation site TAL 

TLRN 

Successful Nth redesignation site TAL 

TRTLS 

Earliest RTLS initiation time 

TSRBS 

Time of SRB separation 

VI 

Vehicle inertial velocity 

VILT1 

VI boundary for first late TAL 

VILT2 

VI boundary for second late TAL 

VILTN 

VI boundary for Nth late TAL 

VILTERLY 

Early VI boundary for late TAL 

VIPA2 

2-SSME PTA VI boundary 
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VIPM1 1-SSME PTM VI boundary 

VIPM2 2-SSME PTM VI boundary 

VITDP VI boundary for TAL droop 

VITL 1P 1-SSME primary TAL VI boundary 

V TTL2 2-SSME TAL VI boundary 

VTTLR1 First TAL redesignation TAL boundary 

Vf|L R2 Second TAL redesignation TAL boundary 

VITLRN Nth TAL redesignation TAL boundary 
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Ascent/Abort Event Tree 




































Ascent/Abort Event Tree 










Ascent/Abort Event Tree 
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APPENDIX I 


Sample Application Simulation Output 

*************************************** 
***** SPACE SHUTTLE ABORT MODES ***** 
***** SIMULATION RESULTS ***** 

*************************************** 


SIMULATION INPUT DATA 
*—*—*—*—*—*—*—*—*—*—*—*—* 


Name of data: STS-32 

Number of simulations: 1000000 


Ascent Checklist values: 


2 ENG (104) 


Name of landing site 

BEN 

VI boundary value 

6200 

VI value for Abort MECO 

24000 

VI value for Nominal MECO 

25918 

NEG RETURN (104) 

8400 

PRESS TO ATO (104) 

9600 

PRESS TO MECO (104) 

13900 

SE PRESS (104) 

16800 

SE (104) 

Name of landing site 

BYD 

VI boundary value 

13700 

DROOP (109) 

Name of target site 

BYD 

VI boundary value 

12000 

LAST (104) 

Name of landing site 

MRN 

VI boundary value 

13500 

Late TALs 

Total number of sites 

4 

Late TAL site: 

AML 

VI boundary value 

22700 

Late TAL site: 

BYD 

VI boundary value 

24500 

Late TAL site: 

KIN 

VI boundary value 

25200 

Late TAL site: 

HDS 

VI boundary value 

25500 

Earliest Late TAL 

22000 


TAL Redesignations 

Total number of 1st EO values 34 


Number 


VI Value 


1 

2 

3 

4 

5 

6 

7 

8 


6200 

6300 

6400 

6500 

6600 

6700 

6800 

6900 



9 

7000 

10 

7100 

11 

7200 

12 

7300 

13 

7400 

14 

7500 

15 

7600 

16 

7700 

17 

7800 

18 

7900 

19 

8000 

20 

8100 

21 

8200 

22 

8300 

23 

8400 

24 

8500 

25 

8600 

26 

8700 

27 

8800 

28 

8900 

29 

9000 

30 

9100 

31 

9200 

32 

9300 

33 

9400 

34 

9500 

Number of redesig. 

options 

TAL redesignation 

option: 

Option power level: 

Number 

VI Value 

1 

10900 

2 

10900 

3 

11000 

4 

11000 

5 

11000 

6 

11000 

7 

11000 

8 

11100 

9 

11100 

10 

11100 

11 

11100 

12 

11200 

13 

11200 

14 

11200 

15 

11200 

16 

11200 

17 

11300 

18 

11300 

19 

11300 

20 

11300 

21 

11300 

22 

11300 

23 

11400 

24 

11400 

25 

11400 

26 

11400 


3 

SE DROOP B 
109 


27 

11400 

28 

11400 

29 

11400 

30 

11500 

31 

11500 

32 

11500 

33 

11500 

34 

11500 

redesignation 

option: 

.on power level 

: 

imber 

VI Value 

1 

16400 

2 

16300 

3 

16100 

4 

16000 

5 

15800 

6 

15700 

7 

15500 

8 

15400 

9 

15200 

10 

15100 

11 

14900 

12 

14800 

13 

14700 

14 

14600 

15 

14400 

16 

14300 

17 

14200 

18 

14100 

19 

14000 

20 

13900 

21 

13900 

22 

13900 

23 

13800 

24 

13800 

25 

13800 

26 

13700 

27 

13700 

28 

13700 

29 

13700 

30 

13700 

31 

13600 

32 

13600 

33 

13600 

34 

13600 


SE BYD 
104 


TAL redesignation option: SE BEN 

Option power level: 109 

Number VI Value 


1 

2 

3 

4 

5 

6 


16400 

16300 

16100 

16000 

15800 

15700 


75 



7 

15500 

8 

15400 

9 

15200 

10 

15100 

11 

14900 

12 

14800 

13 

14700 

14 

14600 

15 

14400 

16 

14300 

17 

14300 

18 

14200 

19 

14100 

20 

14100 

21 

14000 

22 

14000 

23 

13900 

24 

13900 

25 

13900 

26 

13900 

27 

13800 

28 

13800 

29 

13800 

30 

13800 

31 

13800 

32 

13800 

33 

13700 

34 

13700 


Probability of SRB pair failure 3.875969E-03 

Probability of ET failure 1.000000E-04 


Enabled SSME time-to-f ailure parameters: 


Self-contained 

Self-contained 

Self-contained 

Catastrophic 

Catastrophic 

Catastrophic 


100% RPL 
104% RPL 
109% RPL 
100% RPL 
104% RPL 
109% RPL 


22277.700000 
22889.600000 
9744 . 100000 
149693.500000 
77252.400000 
13181.100000 


Launch/ascent phase times (sec) : 

Duration of the pre-launch phase 
Beginning of "throttle bucket" 
End of the "throttle bucket" 

Time of SRB separation 
Time of RTLS capability 
Beginning of throttle down 
Time of MECO 


6.600000 

25.000000 

70.000000 

130.000000 

150.000000 

460.000000 

516.000000 



Vehicle acceleration values (ft/seo~2): 


2 functioning SSMEs - 104% RPL 
1 functioning SSME - 104% RPL 
1 functioning SSME - 109% RPL 


44.310000 

22.160000 

23.230000 


Required decision time (sec) : 


15.000000 


Enable/inhibit switch status: ON 


Black zone VI boundaries (ft/sec): 

Lower boundary 8000.000000 

Upper boundary 18000.000000 


ASCENT/ABORT SUMMARY 


Nominal to MECO 914416 
On-pad shutdown 802 
Successful RTLS 21350 
Successful TAL 13769 
Successful Aborts to Orbit 10413 
Successful Aborts to MECO 17992 
Non-intact abort - crew bailout 361 
Non-intact abort - loss of crew 0 
Benign SSME failure 67796 
Catastrophic SSME failure 17974 
External Tank failure 2 
Solid Rocket Booster failure 2921 


PRE- LAUNCH SUMMARY 




On-pad shutdown 

802 

Benign 1st SSME failure 

802 

Catastrophic 1st SSME failure 

2 

External Tank failure 

0 


FIRST STAGE SUMMARY 


Non-intact abort - crew bailout 142 
Non-intact abort - loss of crew 0 
Benign 1st SSME failure 15801 
Benign 2nd SSME failure 142 
Benign 3rd SSME failure 0 
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Catastrophic 1st SSME failure 4196 
Catastrophic 2nd SSME failure 1 
Catastrophic 3rd SSME failure 0 
External Tank failure 2 
Solid Rocket Booster failure 2921 


SECOND STAGE SUMMARY 

Nominal to MECO 914416 
Successful 1-E TAL BYD 36 
Successful TAL Droop BYD 35 
Successful 1-E Press to MECO 2 
Successful Late TAL AML 0 
Successful Late TAL BYD 0 
Successful Late TAL KIN 0 
Successful Late TAL HDS 0 
Non-intact abort - crew bailout 110 
Non-intact abort - loss of crew 0 
Benign 1st SSME failure 48522 
Benign 2nd SSME failure 183 
Benign 3rd SSME failure 0 
Catastrophic 1st SSME failure 13338 
Catastrophic 2nd SSME failure 0 
Catastrophic 3rd SSME failure 0 
External Tank failure 0 


Return to Launch Site (RTLS) Summary 


Successful 2-E RTLS 20017 
Successful 1 -E RTLS 1333 
Non-intact abort - crew bailout 0 
Non-intact abort - loss of crew 0 
Benign 2nd SSME failure 1359 
Benign 3rd SSME failure 0 
Catastrophic 2nd SSME failure 291 
Catastrophic 3rd SSME failure 36 


oceanic Abort Landing (TAL) Summary 


Successful 2-E TAL BEN 13191 
Successful 1-E TAL BYD 0 
Successful TAL Droop BYD 0 
Successful 1-E TAL SE DROOP B 107 
Successful 1-E TAL SE BYD 0 
Successful 1-E TAL SE BEN 219 
Successful Late TAL AML 0 
Successful Late TAL BYD 0 
Successful Late TAL KIN 0 
Successful Late TAL HDS 0 
Non-intact abort - crew bailout 74 
Non— intact abort — loss of crew 0 



Benign 2nd SSME failure 
Benign 3rd SSME failure 
Catastrophic 2nd SSME failure 
Catastrophic 3rd SSME failure 


Press to MECO and ATO Summary 


Successful 2-E PTM 
Successful 2-E ATO 
Successful 1-E PTM 
Successful 1-E TAL BYD 

Successful TAL Droop BYD 

Successful Late TAL AML 

Successful Late TAL BYD 

Successful Late TAL KIN 

Successful Late TAL HDS ^ 

Non-intact abort - crew bailout 
Non-intact abort - loss of crew 
Benign 2nd SSME failure 
Benign 3rd SSME failure 
Catastrophic 2nd SSME failure 
Catastrophic 3rd SSME failure 


17629 

10413 

361 

145 

36 

0 

0 

0 

0 

35 

0 

577 

0 

73 

0 
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APPENDIX J 


Program Tutorial 


This section is intended to acquaint the program user with how to use the program by walking 
them through an example application. The example application involves assessing the expected risk 
involved for STS-32. 

Start the Program 

The simulation program has been developed for use with a Microsoft FORTRAN version 4. 1 or 
an equivalent compiler. The executable file for this program must first be loaded into the directory that 
contains the compiler. 

To begin the program enter: ABTSIM 

Entering Program Input 

This section will show the sample input of data. The default values included Ascent Checklist 
values for STS-26 and values that appeared reasonable to the author. The entered data includes values 
from the STS-32 Ascent Checklist — Flight Supplement and information that is intended to be for 
illustration purposes only. The reader is encouraged in particular to follow the Ascent Checklist data as 
they are entered and to locate their position within the document. The reader should also note that when 
data are entered for the TAL redesignation values, if an option is not available at a particular first engine 
out inertial velocity value, the inertial velocity value of the next possible option at that first engine out 
inertial velocity value is entered in its position. If the last option is not available at the first engine out 
velocity value, a very large number is entered as the velocity value for that option. The data that are 
requested and the information that is entered in response for this application is as follows: 

What is the name of the data? 

STS-32 

Would you like to have the results sent 
to an output file (Y or N)? 

Y 

What is the name for the output file? 

STS-32 

How many simulation runs are desired? 

10000 

Please enter your selection. 

1 

-2 ENG (104)? {6300} 

6200 
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Name of landing site? {BEN} 

BEN 

VI value for Abort MECO? {24000} 

24000 

VI value for Nominal MECO?? {25918} 
25918 

- NEG RETURN (104)? {8300} 

8400 

- PRESS TO ATO (104)? {9800} 

9600 

- PRESS TO MECO (104)? {12200} 

13900 

- SE PRESS (104)? {18600} 

16800 

-SE (104)? {14000) 

13700 

Name of landing site? {BYD} 

BYD 

-DROOP (109)? {11100} 

12000 

Name of target site? {BYD} 

BYD 

-LAST (104)? {24600} 

13500 


Name of the landing site? {BEN} 
MRN 


What is the total number of Late TAL sites? {3} 
4 

- LAST LATE TAL VI Value 1 

22700 

Name of the landing site? 

AML 
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- LAST LATE TAL VI Value 2 

24500 

Name of the landing site? 

BYD 

- LAST LATE TAL VI Value 3 

25200 

Name of the landing site? 

KIN 

- LAST LATE TAL VI Value 4 

25500 

Name of the landing site? 

HDS 

- Earliest Late TAL? {24000} 

22000 

Total number of TAL redesignation options? {3} 

3 

Total number of TAL redesignation velocities? {33} 

34 

Do you wish to use all the default 1st engine 
out VI redesignation values? (Y or N) 

N 

1st EO VI 1 

6200 

1st EO VI 2 

6300 

1st EO VI 3 

6400 

1st EO VI 4 

6500 

1st EO VI 5 

6600 

1st EO VI 6 

6700 
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1st EO VI 7 

6800 

1st EO VI 8 

6900 


IstEOVI 9 

7000 

1st EO VI 10 

7100 

IstEOVI 11 

7200 

1st EO VI 12 

7300 

IstEOVI 13 

7400 

1st EO VI 14 

7500 

1st EO VI 15 

7600 

1st EO VI 16 

7700 

IstEOVI 17 

7800 

1st EO VI 18 

7900 

1st EO VI 19 

8000 

1st EO VI 20 

8100 

1st EO VI 21 

8200 

1st EO VI 22 

8300 


84 


1st EO VI 23 

8400 

1st EO VI 24 

8500 

1st EO VI 25 

8600 

1st EO VI 26 

8700 

1st EO VI 27 

8800 

1st EO VI 28 

8900 

1st EO VI 29 

9000 

1st EO VI 30 

9100 

1st EO VI 31 

9200 

1st EO VI 32 

9300 

1st EO VI 33 

9400 

1st EO VI 34 

9500 

Name of the TAL redesignation option 1 
DROOP BYD 


Power level required for this option (104 or 109) 

109 

Name of the TAL redesignation option 2 
BYD 

Power level required for this option (104 or 109) 

104 
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Name of the TAL redesignation option 3 
BEN 

Power level required for this option (104 or 109) 

109 

Do you wish to use all the default 2nd engine 

out VI redesignation values for option 1? (Y or N) 

N 

- TAL REDES VI Value 1 1 

10900 

- TAL REDES VI Value 1 2 

10900 

-TAL REDES VI Value 1 3 

11000 

-TAL REDES VI Value 1 4 

11000 

- TAL REDES VI Value 1 5 

11000 

-TAL REDES VI Value 1 6 

11000 

-TAL REDES VI Value 1 7 
11000 

-TAL REDES VI Value 1 8 

11100 

- TAL REDES VI Value 1 9 
11100 

- TAL REDES VI Value 1 10 

11100 

- TAL REDES VI Value 1 11 

11100 

- TAL REDES VI Value 1 12 

11200 

- TAL REDES VI Value 1 13 

11200 
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-TAL REDES VI Value 1 14 

11200 

-TAL REDES VI Value 1 15 

11200 

- TAL REDES VI Value 1 16 

11200 

- TAL REDES VI Value 1 17 

11300 

- TAL REDES VI Value 1 18 

11300 

- TAL REDES VI Value 1 19 

11300 

- TAL REDES VI Value 1 20 

11300 

- TAL REDES VI Value 1 21 

11300 

-TAL REDES VI Value 1 22 

11300 

- TAL REDES VI Value 1 23 

11400 

- TAL REDES VI Value 1 24 

11400 

- TAL REDES VI Value 1 25 

11400 

- TAL REDES VI Value 1 26 
11400 

- TAL REDES VI Value 1 27 
11400 

- TAL REDES VI Value 1 28 
11400 

- TAL REDES VI Value 1 29 
11400 
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- TAL REDES VI Value 1 30 
11500 

- TAL REDES VI Value 1 31 

11500 

-TAL REDES VI Value 1 32 
11500 

-TAL REDES VI Value 1 33 
11500 

- TAL REDES VI Value 1 34 

11500 

Do you wish to use all the default 2nd engine out 
VI redesignation values for option 2? (Y or N) 

N 

- TAL REDES VI Value 2 1 

16400 

-TAL REDES VI Value 2 2 

16300 

- TAL REDES VI Value 2 3 
16100 

-TAL REDES VI Value 2 4 

16000 

-TAL REDES VI Value 2 5 
15800 

- TAL REDES VI Value 2 6 

15700 

-TAL REDES VI Value 2 7 

15500 

- TAL REDES VI Value 2 8 

15400 

- TAL REDES VI Value 2 9 

15200 

-TAL REDES VI Value 2 10 

15100 
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-TAL REDES VI Value 2 11 
14900 

- TAL REDES VI Value 2 12 
14800 

- TAL REDES VI Value 2 13 
14700 

- TAL REDES VI Value 2 14 

14600 

- TAL REDES VI Value 2 15 
14400 

- TAL REDES VI Value 2 16 

14300 

- TAL REDES VI Value 2 17 

14200 

- TAL REDES VI Value 2 18 
14100 

-TAL REDES VI Value 2 19 

14000 

- TAL REDES VI Value 2 20 

13900 

- TAL REDES VI Value 2 21 

13900 

- TAL REDES VI Value 2 22 

13900 

- TAL REDES VI Value 2 23 

13800 

- TAL REDES VI Value 2 24 

13800 

- TAL REDES VI Value 2 25 

13800 

-TAL REDES VI Value 2 26 

13700 
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- TAL REDES VI Value 2 27 

13700 

- TAL REDES VI Value 2 28 

13700 

- TAL REDES VI Value 2 29 

13700 

- TAL REDES VI Value 2 30 

13700 

- TAL REDES VI Value 2 31 

13600 

- TAL REDES VI Value 2 32 

13600 

- TAL REDES VI Value 2 33 

13600 

- TAL REDES VI Value 2 34 

13600 

Do you wish to use all the default 2nd engine out 
VI redesignation values for option 3? (Y or N) 

N 

-TAL REDES VI Value 3 1 

16400 

- TAL REDES VI Value 3 2 

16300 

-TAL REDES VI Value 3 3 

16100 

- TAL REDES VI Value 3 4 

16000 

- TAL REDES VI Value 3 5 

15800 


- TAL REDES VI Value 3 6 

15700 

- TAL REDES VI Value 3 7 

15500 
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- TAL REDES VI Value 3 8 

15400 

-TAL REDES VI Value 3 9 

15200 

- TAL REDES VI Value 3 10 

15100 

- TAL REDES VI Value 3 11 

14900 

-TAL REDES VI Value 3 12 

14800 

-TAL REDES VI Value 3 13 

14700 

- TAL REDES VI Value 3 14 

14600 

- TAL REDES VI Value 3 15 

14400 

- TAL REDES VI Value 3 16 

14300 

- TAL REDES VI Value 3 17 

14300 

- TAL REDES VI Value 3 18 

14200 

- TAL REDES VI Value 3 19 

14100 

- TAL REDES VI Value 3 20 
14100 

- TAL REDES VI Value 3 21 

14000 

- TAL REDES VI Value 3 22 

14000 

- TAL REDES VI Value 3 23 

13900 


91 



- TAL REDES VI Value 3 24 

13900 

- TAL REDES VI Value 3 25 

13900 

-TAL REDES VI Value 3 26 

13900 

- TAL REDES VI Value 3 27 

13800 


- TAL REDES VI Value 3 28 

13800 

- TAL REDES VI Value 3 29 

13800 

- TAL REDES VI Value 3 30 

13800 

- TAL REDES VI Value 3 31 

13800 

- TAL REDES VI Value 3 32 

13800 

- TAL REDES VI Value 3 33 

13700 

- TAL REDES VI Value 3 34 

13700 

Please enter your selection. 

2 


What is the probability of SRB failure? 
{.00388} 

.00388 


Please enter your selection. 

3 


What is the probability of ET failure? 

{. 0001 } 

.0001 


Please enter your selection. 
4 
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Enabled - catastrophic parameter values: 


- for 100% SSME thrust: {149693.5} 

149693.5 

for 104% SSME thrust: {77252.4} 

77252.4 

- for 109% SSME thrust: {13181.1} 
13181.1 

Enabled - benign parameter values: 


for 100% SSME thrust: {22277.7} 

22277.7 

- for 104% SSME thrust: {22889.6} 

22889.6 

- for 109% SSME thrust: {9744.1} 

9744.1 

Please enter your selection. 

5 

- duration of the prelaunch phase: {6.6} 

6.6 

- beginning of the “throttle bucket”: {25} 

25 

- end of the “throttle bucket”: {70} 

70 

- time of SRB separation: {130} 

130 

- time of RTLS capability: {150} 

150 

- time of pre-MECO throttle down: {460} 

460 

-time of MECO: {516} 

516 

Please enter your selection. 

6 



What is the required decision time? {15} 

15 

Please enter your selection. 

7 

Will the SSMEs be inhibited during black zones 
(Y or N)? (Y) 

Y 


Please enter your selection. 

8 


- the lower back zone VI bound: {8000} 

8000. 


- the upper black zone VI bound: {18000} 

18000. 


Please enter your selection. 

9 


Viewing Program Summaries 

The results of the simulation are summarized on the screen and, since the output file option was 

chosen 


, a summary of the results is also sent to a file. The output to the screen is menu-driven and straight 
forward. The output to the file may be sent to a printer. The output file for the input data in this tutorial 
is shown in this appendix. 
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*************************************** 
***** SPACE SHUTTLE ABORT MODES ***** 
***** SIMULATION RESULTS ***** 

*************************************** 


SIMULATION INPUT DATA 
*-*-*-*-*-*_*-*-*-*-*-*-* 


Name of data: STS-32 

Number of simulations: 10000 


Ascent Checklist values: 


2 ENG (104) 


Name of landing site 

BEN 

VI boundary value 

6200 

VI value for Abort MECO 

24000 

VI value for Nominal MECO 

25918 

NEG RETURN (104) 

8400 

PRESS TO ATO (104) 

9600 

PRESS TO MECO (104) 

13900 

SE PRESS (104) 

16800 

SE (104) 

Name of landing site 

BYD 

VI boundary value 

13700 

DROOP (109) 

Name of target site 

BYD 

VI boundary value 

12000 

LAST (104) 

Name of landing site 

MRN 

VI boundary value 

13500 

Late TALs 

Total number of sites 

4 

Late TAL site: 

AML 

VI boundary value 

22700 

Late TAL site: 

BYD 

VI boundary value 

24500 

Late TAL site: 

KIN 

VI boundary value 

25200 

Late TAL site: 

HDS 

VI boundary value 

25500 

Earliest Late TAL 

22000 

TAL Redesignations 

Total number of 1st EO values 

34 


Number 

VI Value 

1 

6200 

2 

6300 

3 

6400 

4 

6500 

5 

6600 

6 

6700 

7 

6800 

8 

6900 


C.A 



9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 

26 

27 

28 

29 

30 

31 

32 

33 

34 


7000 

7100 

7200 

7300 

7400 

7500 

7600 

7700 

7800 

7900 

8000 

8100 

8200 

8300 

8400 

8500 

8600 

8700 

8800 

8900 

9000 

9100 

9200 

9300 

9400 

9500 


Number of redesig. options 


TAL redesignation option: 
Option power level: 


Number VI Value 


3 

DROOP BYD 
109 


1 

10900 

2 

10900 

3 

11000 

4 

11000 

5 

11000 

6 

11000 

7 

11000 

8 

11100 

9 

11100 

10 

11100 

11 

11100 

12 

11200 

13 

11200 

14 

11200 

15 

11200 

16 

11200 

17 

11300 

18 

11300 

19 

11300 

20 

11300 

21 

11300 

22 

11300 

23 

11400 

24 

11400 

25 

11400 

26 

11400 


96 


27 


11400 

28 


11400 

29 


11400 

30 


11500 

31 


11500 

32 


11500 

33 


11500 

34 


11500 

TAL redesignation 

option: 

Option power 

level 


Number 


VI Value 

1 


16400 

2 


16300 

3 


16100 

4 


16000 

5 


15800 

6 


15700 

7 


15500 

8 


15400 

9 


15200 

10 


15100 

11 


14900 

12 


14800 

13 


14700 

14 


14600 

15 


14400 

16 


14300 

17 


14200 

18 


14100 

19 


14000 

20 


13900 

21 


13900 

22 


13900 

23 


13800 

24 


13800 

25 


13800 

26 


13700 

27 


13700 

28 


13700 

29 


13700 

30 


13700 

31 


13600 

32 


13600 

33 


13600 

34 


13600 

TAL redesignation 

option: 

Option power 

level : 

Number 


VI Value 

1 


16400 

2 


16300 

3 


16100 

4 


16000 

5 


15800 

6 


15700 


BYD 

104 


BEN 

109 
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7 

15500 

8 

15400 

9 

15200 

10 

15100 

11 

14900 

12 

14800 

13 

14700 

14 

14600 

15 

14400 

16 

14300 

17 

14300 

18 

14200 

19 

14100 

20 

14100 

21 

14000 

22 

14000 

23 

13900 

24 

13900 

25 

13900 

26 

13900 

27 

13800 

28 

13800 

29 

13800 

30 

13800 

31 

13800 

32 

13800 

33 

13700 

34 

13700 


Probability of SRB pair failure 3.875969E-03 

Probability of ET failure 1. OOOOOOE-04 


Enabled SSME time-to-failure parameters: 


Self-contained - 100% RPL 
Self-contained - 104% RPL 


Self-contained 

Catastrophic 

Catastrophic 

Catastrophic 


109% RPL 
100% RPL 
104% RPL 
109% RPL 


22277.700000 

22889.600000 

9744.100000 

149693.500000 

77252.400000 

13181.100000 


Launch/ascent phase times (sec) : 

Duration of the pre-launch phase 
Beginning of "throttle bucket" 
End of the "throttle bucket" 

Time of SRB separation 
Time of RTLS capability 
Beginning of throttle down 
Time of MECO 


6.600000 

25.000000 

70.000000 

130.000000 

150.000000 

460.000000 

516.000000 


Vehicle acceleration values (ft/sec A 2) : 


2 functioning SSMEs - 104% RPL 
1 functioning SSME - 104% RPL 
1 functioning SSME - 109% RPL 


44.310000 

22.160000 

23.230000 


Required decision time (sec) : 


15.000000 


Enable/inhibit switch status: ON 


Black zone VI boundaries (ft/sec) : 

8000.000000 
18000.000000 


Lower boundary 
Upper boundary 


ASCENT/ABORT SUMMARY 
************ 


Nominal to MECO 9146 
On-pad shutdown 14 
Successful RTLS 206 
Successful TAL 134 
Successful Aborts to Orbit 96 
Successful Aborts to MECO 190 
Non-intact abort - crew bailout 2 
Non— intact abort - loss of crew 0 
Benign SSME failure 667 
Catastrophic SSME failure 178 
External Tank failure 1 
Solid Rocket Booster failure 33 


PRE-LAUNCH SUMMARY 


On-pad shutdown 14 
Benign 1st SSME failure 14 
Catastrophic 1st SSME failure 2 
External Tank failure 0 


FIRST STAGE SUMMARY 


Non-intact abort - crew bailout 0 
Non-intact abort - loss of crew 0 
Benign 1st SSME failure 163 
Benign 2nd SSME failure 0 
Benign 3rd SSME failure 0 



Catastrophic 1st SSME failure 36 
Catastrophic 2nd SSME failure 1 
Catastrophic 3rd SSME failure 0 
External Tank failure 1 
Solid Rocket Booster failure 33 


SECOND STAGE SUMMARY 
H — | — | — | — l — I — I — I — I — I — H 

Nominal to MECO 9146 
Successful 1-E TAL BYD 0 
Successful TAL Droop BYD 0 
Successful 1-E Press to MECO 2 
Successful Late TAL AML 0 
Successful Late TAL BYD 0 
Successful Late TAL KIN 0 
Successful Late TAL HDS 0 
Non-intact abort - crew bailout 1 
Non-intact abort - loss of crew 0 
Benign 1st SSME failure 471 
Benign 2nd SSME failure 3 
Benign 3rd SSME failure 0 
Catastrophic 1st SSME failure 134 
Catastrophic 2nd SSME failure 0 
Catastrophic 3rd SSME failure 0 
External Tank failure 0 


Return to Launch Site (RTLS) Summary 


Successful 2-E RTLS 198 
Successful 1-E RTLS 8 
Non-intact abort - crew bailout 0 
Non-intact abort - loss of crew 0 
Benign 2nd SSME failure 8 
Benign 3rd SSME failure 0 
Catastrophic 2nd SSME failure 4 
Catastrophic 3rd SSME failure 0 


Trans-oceanic Abort Landing (TAL) Summary 


Successful 2-E TAL BEN 130 
Successful 1-E TAL BYD 0 
Successful TAL Droop BYD 0 
Successful 1-E TAL DROOP BYD 0 
Successful 1-E TAL BYD 0 
Successful 1-E TAL BEN 3 
Successful Late TAL AML 0 
Successful Late TAL BYD 0 
Successful Late TAL KIN 0 
Successful Late TAL HDS 0 
Non-intact abort - crew bailout ^ 
Non-intact abort - loss of crew 0 



Benign 2nd SSME failure 
Benign 3rd SSME failure 
Catastrophic 2nd SSME failure 
Catastrophic 3rd SSME failure 


Press to MECO and ATO Summary 


Successful 
Successful 
Successful 
Successful 
Successful 
Successful 
Successful 
Successful 
Successful 
Non-intact 
Non- intact 


2-E PTM 
2-E ATO 
1-E PTM 

1-E TAL BYD 

TAL Droop BYD 

Late TAL AML 

Late TAL BYD 

Late TAL KIN 

Late TAL HDS 

abort - crew bailout 
abort - loss of crew 


Benign 2nd SSME failure 
Benign 3rd SSME failure 
Catastrophic 2nd SSME failure 
Catastrophic 3rd SSME failure 


185 

96 

3 
1 
0 
0 
0 
0 
0 
0 
0 

4 
0 
0 
0 
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